Set Items Description 

51 204 94 (DIGITAL? OR MULTIMEDIA?) () (GOOD? OR PRODUCT? OR ENTIT? OR 

MODULE? OR UNIT? OR DEVICE?) OR MPEG? ? OR MP3? ? 

52 771034 SOFTWARE? OR NONSOFTWARE? OR DVD? ? OR CDROM? OR CD()ROM? ? 

OR DISK? OR DISC? ? OR FLOPPY? OR FLOPPIE? 

53 14439 (AUDIO? (ION) VIDEO?) (2N) (DATA? OR GOOD? OR PRODUCT? OR MODU- 

LE? OR ENTIT? OR UNIT? OR DEVICE?) 

54 218 SBOX? OR S() (BOX OR BOXES) 

55 0 RIJNDAELSBOX? OR S () FUNCTION? ( ) (BOX OR BOXES) 

56 1 (SOFTWARE? OR SOFT()WARE?) () USAGE? () MONITOR? ( ) (BOX OR BOXE- 

S) OR SUBSTITUT? () FUNCTION? () (BOX OR BOXES) 

57 27 SUBSTITUTION? () (LOOKUP OR LOOK? () UP) () TABLE? OR SUBSTITUT?- 

()LUT? ? OR SUBSTITUT? () (BOX OR BOXES) 

58 0 RANDOM? () SUBSTITUT? () (LUT? ? OR BOX OR BOXES OR TABLE?) 

59 4826429 PARTITION? OR PART? ? OR PARTIAL? OR SEGMENT? OR DIVISION? 

510 1333872 PARCEL? OR PIECE? OR CHUNK? OR FRACTION? OR SLICE? OR DIVI- 

D? 

511 3501297 SECTION? OR SECTOR? OR PORTION? OR APPORTION? OR SECTOR? 

512 3951607 FIRST? OR 1ST OR PRIMARY OR INITIAL? OR ORIGINAL? OR LEADO- 

FF? OR MAIN OR CHIEF OR INTRODUCTORY? OR MASTER? 

513 322126 SUBSTITUT? OR PROXIE? OR PROXY? OR STANDIN OR STANDINS OR - 

STAND? ( ) IN 

514 867640 PSEUD? OR SYNTHE? OR ARTIFICIAL? OR TEMPORAR? 

515 5173224 SECOND? OR 2ND OR DOUBL? OR TWIN? OR EXTRA? OR ANOTHER OR - 

SUBSIDIAR? OR AUXILIAR? OR DIFFERENT? OR ALTERNAT? OR SLAVE? 

516 43173 ENCRYPT? OR ENCIPHER? OR ENCYPHER? OR SCRAMBL? OR HASH? OR 

CRYPT? OR ENSCRAMBL? 

517 13664 DECRYPT? OR DECIPHER? OR DECYPHER? OR DESCRAMBL? OR DEHASH? 

OR UNSCRAMBL? OR UNENCRYPT? 

518 413630 IC=(H04K? OR H04L?) 

519 1738712 MC=(T01? OR W01? OR W04?) 

520 50 S4:S8 AND S9:S12 AND S16:S17 

521 47 S20 AND (S1:S3 OR S12:S15 OR S18:S19) 

522 6 SI: S3 AND S4:S8 AND S9:S11 

523 104 S4 :S8 AND S9:S11 

524 74 S23 AND (S1:S3 OR S12:S19) 

525 119 S20:S24 

526 848684 PR=2001:2006 

527 109 S25 NOT S26 

528 109 IDPAT (sorted in duplicate/non-duplicate order) 
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Block cipher secure against 



Previous Publ . patent JP 11073101 

Previous Publ. patent KR 99002840 
differential and linear cryptanalysis 



. . . divides the input into two half-blocks which are combined with the key- 
octet by octet, then shifted left after passing through substitution 
boxes 

. . .Abstract (Basic) : The encryption algorithm divides the data stream 
into blocks of 2 N octets, and the blocks are divided into a first 
and a second half. An exclusive-OR operation is performed between the 

second half and a rotation key of M octets. The result of this step 
is divided into L blocks of eight bits, and the first block is sent 
to a first S box , and each of the remaining blocks sent to a 
corresponding S - box after it has been combined with the output of 
the preceding S - box . 



...The output of each of the S - boxes is rotated left, and the results 
used to form a new second half of the input block, while the old 
second half forms a new half... 



...USE - USE - Encryption of digital audio streams... 

. . . ADVANTAGE - ADVANTAGE - Allows construction of encryption algorithm 
from blocks of fast algorithms to give fast encryption and 
decryption with algorithm that is resistant to differential and 
linear cryptanalysis . 

...Title Terms: DIFFERENTIAL ; 

...International Patent Class (Main): H04L-009/06 ... 
. . . H04L-009/28 

Manual Codes (EPI/S-X) : T01-E02 ... 
. . . T01-J04 . . . 
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(57) ABSTRACT 

The present invention relates to the block cipher algorithm 
based on the prior Feistel type block cipher algorithm (or 
similar to DES algorithm). Usually the security of Feistel 
type block cipher algorithm depends on the structure of its 
round function. More specifically, the present invention 
relates to the round function structure of the Feistel type 
block cipher algorithm, in the instance that the round input 
data block is divided into 8-bit blocks and the divided 
sub-blocks are fed, with the combined output data of the 
previous S-box, into 256x8 S-box, except for the first input 
sub-data block. The first sub-data block one is directly fed 
into the first S-box. The total output data block, after these 
steps, is rotated by 8-bits and this rotated result is the output 
of the current round function. 

26 Claims, 4 Drawing Sheets 
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Block 180 illustrates the 32-bit right half of the 64-bit input 
plain text to the cipher SNAKE. Block 190 illustrates the 
round function of SNAKE of which structure was described 
in FIG. 1. Block 200 illustrates a round key generated from 
SNAKE's key scheduling process shown in FIGS. 2A-2B. 5 
Block 210 illustrates a logic exclusive-OR operator. Block 
220 illustrates the 32-bit left half of the 64-bit final output 
data such as encrypted data or cipher text, through the 16 
round process of SNAKE which executes a one-round 
process, repeated 16 times. Block 230 illustrates the 32-bit 30 
right half of the 64-bit final output data such as encrypted 
data or cipher text through the 16 round process of SNAKE 
which executes a one-round process, repeated 16 times. 

In summary, SNAKE operates on a 64-bit block of plain 
text. The block is broken into a right half and a left half, each ]5 
32-bits long. Then there are 16 rounds of identical 
operations, with reference to FIG. 3, called round function 
F, in which the data are combined with the key via XOR- 
operation. After the sixteenth round, the right and left halves 
are joined, and the algorithm is completed. In each round the 2 rj 
right half (32-bits) of the previous round's output data is 
combined with its round key (via XOR) and the resulting 
data is broken into four 8-bit data blocks, XI, X2, X3, X4. 

The data blocks form the input data to the previously 
described round function F. Again, this output data of F are 2 s 
combined with the 32-bit left half data block via XOR to be 
the next or new round's right half data block (the old right 
half becomes the new left half). These operations are 
repeated 16 times, thereby making 16 rounds of SNAKE. 

If By is the result of the j-th iteration, L y - and R y are the left 30 
and right halves of B y , K ; is the key for the round j, and F 
is the round function described previously, then a round 
looks like: 

Ly-R,,,; 

In the present invention, the security (resistance) of 
SNAKE could be deduced from consideration of the output 
difference data from each S-box is seen if given a pair of data 
values with a difference (input difference) as variable 
parameters, and constructing a linear system of equations of 40 
the difference variable parameters to get its coefficient 
matrix, which is called 'Transient Differential Matrix*. By 
making or finding some conditions to confine the cipher to 
its 'rank*, the round function structure of SNAKE can be 
deduced. The proof of the security was disclosed in Chang- 45 
hyi Lee and Young-tae Cha, "The Block Cipher: SNAKE 
with Provable Resistance against -DC and LC Attacks", 
JW-ISC, (1997), herein incorporated by reference. 

The processing speed of the present invention is faster 
than that of DES. In the simulation of SNAKE, implemented 50 
in the C++ language on a 120 MHz PENTIUM PC, the 
encryption process of the present invention performs at 16 
Mbps, while DES performs at 10.4 Mbps on the same 
machine. 

The invention may be embodied in a general purpose 55 
digital computer that is running a program or program 
segments originating from a computer readable or usable 
medium, such medium including, but not limited to, mag- 
netic storage media (e.g., ROMs, floppy disks, hard disks, 
etc.), optically readable media (e.g., CD-ROMs, DVDs, 60 
etc.), and carrier waves (e.g., transmissions over the 
Internet). A functional program, code and code segments, 
used to implement the present invention can be derived by 
a skilled computer programmer from the description of the 
invention contained herein. 65 

The previous description of the exemplary embodiments 
is provided to enable any person skilled in the art to make 
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or use the present invention. The various modifications to 
these embodiments will be readily apparent to those skilled 
in the art, and the generic principles defined herein may be 
applied to other embodiments without the use of the inven- 
tive faculty. Thus, the present invention is not intended to be 
limited to the embodiments shown herein but is to be 
accorded the widest scope consistent with the principles and 
novel features disclosed herein. 
What is claimed is: 

1. A block cipher method having a round process and 
having a key scheduling algorithm, comprising: 

(a) dividing a data stream into 2N-byte data blocks, each 
block being divided into a first half block and a second 
half block; 

(b) executing a logical exclusive-OR operation with the 
second half block and an N-byte round key; 

(c) dividing a result of step (b) into N divided blocks, 
sending a first divided block to a first S-box SI and 
sending to each remaining S-box S2, . . . , Sn a result 
of executing a logical cxclusivc-OR operation of each 
corresponding divided block with output data from the 
previous S-box; 

(d) rotating an N-byte result of step (c) to the left by M 
bits; 

(e) executing a logical exclusive-OR operation with the 
first half block and a result of step (d); 

(f) relabeling the second half block as a new first half 
block for use in a next round, said next round utilizing 
a next round key; 

(g) relabeling a result of step (e) as a new second half 
block for use in said next round; 

(h) executing subsequent rounds by repeating steps (b) 
through (g) until just before a final round; 

(i) sending a final second half block to a right half of a 
final output and executing a logical exclusive-OR 
operation with the final second half block and a final 
N-bytc round key; 

(j) dividing a result of the logical exclusive-OR operation 
of step (i) into N final-round blocks, sending a first 
final-round block to the first S-box and sending to each 
remaining S-box a result of executing a logical 
exclusive-OR operation of each corresponding final- 
round block with output data from the previous S-box; 

(k) rotating an N-byte result of step (j) to the left by M 
bits; and 

(1) sending a result of executing a logical exclusive-OR 
operation with a final first half block and a result of step 
(k) to a left half of the final output. 

2. The block cipher method of claim 1, wherein said round 
keys are generated by a method comprising the steps of: 

(m) breaking N-byte seed key data into N seed sub- 
blocks; 

(n) executing modular addition with a first seed sub-block 
and an N-th seed sub-block and sending a result of this 
modular addition to a first intermediate-result sub- 
block of an N-byte intermediate result; 

(o) executing a logical exclusive-OR operation with a 
second seed sub-block and the first intermediate -result 
sub -block resulting from step (n) and sending a result 
of this logical exclusive-OR operation to a second 
intermediate-result sub-block of the N-byte intermedi- 
ate result; 

(p) executing modular addition with a j-th seed sub-block 
and a (j-l)-th intermediate-result sub-block and send- 



1/19/2006, EAST Version: 2.0.1.4 



US 6,314,186 Bl 



8 



ing a result of this modular addition to a j-th 
intermediate-result sub -block of the N-byte intermedi- 
ate result; 

(q) executing a logical exclusive -OR operation with a 
(j+l)-th seed sub-block and the j-th intermediate-result 5 
sub-block and sending a result of this logical exclusive- 
OR operation to a (j+l)-th intermediate-result sub- 
block of the N-byte intermediate result; 

(r) carrying out steps (p) and (q) repeatedly for j=3, 5, 7, 
. . . , (N-l) until an N-th intermediate-result sub-block 10 
of the N-byte intermediate result is generated; 

(s) executing a logical exclusive-OR operation with the 
N-byte intermediate result and an N-byte number hav- 
ing a random sequence of bits; 35 

(t) executing on a result of step (s) a rotation operation to 
the left by L bits; 

(u) assigning a result of step (t) to be a first round key 
having N-bytes; 

(v) substituting the first round key for the previous N-byte 20 
seed key data for use as new N-byte seed key data and 
repeating steps (m) through (t) in order to generate a 
second round key; and 

(w) repeating steps (m) through (t) to generate subsequent 
round keys, wherein each subsequent round key is 25 
generated by using the preceding round key as N-byte 
seed key data in step (m). 

3. A computer useable medium having embodied thereon 
a computer program for executing a block cipher, the block 
cipher having a round process, the computer program being 30 
executable by a machine to perform the steps of: 

(a) dividing a data stream into 2N-byte data blocks, each 
block being divided into a first half block and a second 
half block; 

(b) executing a logical exclusive-OR operation with the 
second half block and an N-byte round key; 

(c) dividing a result of step (b) into N divided blocks, 
sending a first divided block to a first S-box SI and 
sending to each remaining S-box S2, . . . , Sn a result 40 
of executing a logical exclusive-OR operation of each 
corresponding divided block with output data from the 
previous S-box; 

(d) rotating an N-byte result of step (c) to the left by M 
bits; 45 

(e) executing a logical exclusive-OR operation with the 
first half block and a result of step (d); 

(f) relabeling the second half block as a new first half 
block for use in a next round, said next round utilizing 
a next round key; 

(g) relabeling a result of step (e) as a new second half 
block for use in said next round; 

(h) executing subsequent rounds by repeating steps (b) 
through (g) until just before a final round; 

(i) sending a final second half block to a right half of a 
final output and executing a logical exclusive-OR 
operation with the final second half block and a final 
Nbyte round key; 

(j) dividing a result of the logical exclusive-OR operation 60 
of step (i) into N final-round blocks, sending a first 
final-round block to the first S-box and sending to each 
remaining S-box a result of executing a logical 
exclusive-OR operation of each corresponding final- 
round block with output data from the previous S-box; 65 

(k) rotating an N-byte result of step (j) to the left by M 
bits; and 



35 



50 



55 



(1) sending a result of executing a logical exclusive-OR 
operation with a final first half block and a result of step 
(k) to a left half of the final output. 

4. The computer useable medium of claim 3, wherein said 
round keys are generated by a method comprising the steps 
of: 

(m) breaking N-byte seed key data into N seed sub- 
blocks; 

(n) executing modular addition with a first seed sub -block 
and an N-th seed sub-block and sending a result of this 
modular addition to a first intermediate-result sub- 
block of an N-byte intermediate result; 

(o) executing a logical exclusive-OR operation with a 
second seed sub-block and the first intermediate-result 
sub-block resulting from step (n) and sending a result 
of this logical exclusive-OR operation to a second 
intermediate-result sub -block of the N-byte intermedi- 
ate result; 

(p) executing modular addition with a j-th seed sub -block 
and a (j-l)-th intermediate-result sub-block and send- 
ing a result of this modular addition to a j-th 
intermediate-result sub-block of the N-byte intermedi- 
ate result; 

(q) executing a logical exclusive-OR operation with a 
(j+l)-th seed sub-block and the j-th intermediate-result 
sub-block and sending a result of this logical exclusive- 
OR operation to a G + l)" m intermediate-result sub- 
block of the N-byte intermediate result; 

(r) carrying out steps (p) and (q) repeatedly for j=3, 5, 7, 
. . . , (N-l) until an N-th intermediate-result sub-block 
of the N-byte intermediate result is generated; 

(s) executing a logical exclusive-OR operation with the 
N-byte intermediate result and an N-byte number hav- 
ing a random sequence of bits; 

(t) executing on a result of step (s) a rotation operation to 
the left by L bits; 

(u) assigning a result of step (t) to be a first round key 
having N-bytes; 

(v) substituting the first round key for the previous N-byte 
seed key data for use as new N-byte seed key data and 
repeating steps (m) through (t) in order to generate a 
second round key; and 

(w) repeating steps (m) through (t) to generate subsequent 
round keys, wherein each subsequent round key is 
generated by using the preceding round key as N-byte 
seed key data in step (m). 

5. The block cipher method of claim 2, wherein said 
divided blocks, said finalround blocks, and said seed sub- 
blocks are 8 bits in length, wherein said modular addition is 
256-modular addition, and wherein M-8 and L=5. 

6. The block cipher method of claim 5, wherein said 
S-boxes SI, S2, . . . , Sn are selected from one of Type 1 or 
Type 2, wherein: 

Type 1: S1=S2= . . . =Sn=f(x) 
Type 2: S1=S3=S5= . . . =f(x) 

S2-S4-S6- . . . =g(x), 
wherein f(x)=x~ 1 is an algebraic inversion of the Galois 

Field GF(256) and g(x)=h(h(x)) is the self-composition 

of the modular exponent function based 45, wherein 

h(x)=45* mod 257. 

7. The block cipher method of claim 1, wherein said 
divided blocks and said final-round blocks are 8 bits in 
length, and wherein M=8. 

8. The block cipher method of claim 7, wherein said 
S-boxes SI, S2, . . . , Sn are selected from one of Type 1 or 
Type 2, wherein: 
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Type 1: S1=S2= . . . =Sn=f(x) 
Type 2: S1=S3=S5= . . . =f(x) 

S2=S4-S6= . . . «g(x), 
wherein f(x)-x -1 is an algebraic inversion of the Galois 

Field GF(256) and g(x)=h(h(x)) is the self-composition 5 

of the modular exponent function based 45, wherein 

h(x)=45* mod 257. 

9. The block cipher method of claim 1, wherein said round 
keys are generated by a method comprising the steps of: 

(m) breaking a seed key into a plurality of N-byte seed 30 
key blocks; 

(n) assigning a first N-byte seed key block to be a first 
N-byte round key; 

(0) assigning a second N-byte seed key block to be a 
second N-byte round key; 

(p) executing a function using the second N-byte seed key 
block as input into the function, the function producing 
N-byte output; 

(q) executing a logical exclusive-OR operation with a 20 
result of step (p) and a fourth N-byte seed key block; 

(r) assigning a result of step (q) to be a third N-byte round 
key; 

(s) executing the function using the first N-byte seed key 
block as input into the function; 25 

(t) executing a logical exclusive-OR operation with a 
result of step (s) and a third N-byte seed key block; 

(u) assigning a result of step (t) to be a fourth round key; 
and 

(v) generating remaining round keys, wherein an (i+l)-th 30 
round key is generated by executing a logical 
exclusive-OR operation with an (i-l)-th round key and 
a result of executing the function on an i-th round key, 
wherein the remaining round keys are generated for 
i=4, 5, 6, etc. until a final round key is generated. 35 

10. The block cipher method of claim 9, wherein execut- 
ing the function comprises the steps of: 

(1) breaking N-byte seed-key data into N seed sub-blocks; 

(2) executing modular-addition with a first seed sub -block 
and an N-th seed sub -block and sending a result of this 40 
modular addition to a first intermediate-result sub- 
block of an N-byte intermediate result; 

(3) executing a logical exclusive-OR operation with a 
second seed sub-block and the first intermediate-result 
sub-block resulting from step (2) and sending a result 45 
of this logical exclusive-OR operation to a second 
intermediate-result sub-block of the N-byte intermedi- 
ate result; 

(4) executing modular addition with a j-th seed sub -block 
and a (j-l)-th intermediate-result sub-block and send- 
ing a result of this modular addition to a j-th 
intermediate-result sub-block of the N-byte intermedi- 
ate result; 

(5) executing a logical exclusive-OR operation with a 55 
(j+l)-th seed sub-block and the j-th intermediate-result 
sub-block and sending a result of this logical exclusive- 
OR operation to a (j+l)-th intermediate- result sub- 
block of the N-byte intermediate result; 

(6) carrying out steps (4) and (5) repeatedly for j«3, 5, 7, 60 
. . . , (N-l) until an N-th intermediate-result sub -block 

is generated; 

(7) executing a logical exclusive-OR operation with the 
N-byte intermediate result and an N-byte number hav- 
ing a random sequence of bits; and & 

(8) executing on a result of step (7) a rotation operation to 
the left by L bits. 



11. The block cipher method of claim 10, wherein said 
divided blocks, said final-round blocks, and said seed sub- 
blocks are 8 bits in length, wherein said modular addition is 
256-modular addition, and wherein M=8 and L=5. 

12. The computer useable medium of claim 4, wherein 
said divided blocks, said final-round blocks, and said seed 
sub-blocks are 8 bits in length, wherein said modular addi- 
tion is 256-modular addition, and wherein M=8 and L=5. 

13. The computer useable medium of claim 3, wherein 
said divided blocks and said final-round blocks are 8 bits in 
length, and wherein M=8. 

14. The computer useable medium of claim 13, wherein 
the round process repeats sixteen times and wherein sixteen 
round keys are utilized. 

15. The computer useable medium of claim 4, wherein 
said N-byte number having a random sequence of bits is 
"Oxb7el5163" and wherein N=4. 

16. A block cipher method, comprising the steps of: 

(a) dividing a data stream into blocks, each block being 
divided into a first half block and a second half block; 

(b) combining the second half block with a round key 
using a first logical operation; 

(c) dividing a result of step (b) into sub-blocks, using a 
first sub-block to provide input into a first S-box, and 
using remaining sub-blocks to provide input into 
remaining S-boxes, wherein a remaining sub-block is 
combined with output from a remaining S-box using a 
second logical operation, and wherein the result of the 
second logical operation is provided as input into 
another S-box; 

(d) permuting the outputs from the S-boxes resulting from 
step (c); 

(e) combining a result of step (d) with the first half block 
using a third logical operation; 

(f) relabeling the second half block as a new first half 
block for use in a next round, the next round utilizing 
a next round key; 

(g) relabeling a result of step (e) as a new second half 
block for use in the next round; 

(h) repeating steps (b) through (g) for subsequent rounds; 

(i) generating a right half of a final output using a final 
second half block; and 

(j) generating a left half of the final output using a final 
first half block. 

17. The block cipher method of claim 16, wherein the 
first, second and third logical operations are selected from 
the group consisting of exclusive-OR and modular addition. 

18. The block cipher method of claim 17, wherein per- 
muting the outputs of the S-boxes referred to in step (d) 
comprises rotating the outputs of the S-boxes by a prede- 
termined number of bits. 

19. The block cipher method of claim 18, wherein the 
second logical operation is the exclusive-OR operation, and 
wherein the input to the k-th S-box in step (c) is given by 
X(k)0S(k-l), wherein 

X(k) represents the k-th sub-block, 

S(k-l) represents the output from (k-l)-th S-box, 

0 represents the exclusive-OR operation, and 

k>l. 

20. The block cipher method of claim 19, wherein the first 
and third logical operations arc cxclusivc-OR operations. 

21. A method of generating round keys, comprising the 
steps of: 

(a) breaking a seed key into a plurality of seed key blocks; 
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(b) assigning a first seed key block to be a first round key, 

my, 

(c) assigning a second seed key block to be a second 
round key, K(2); 

(d) generating subsequent round keys using output from a 
key-generating function (FUNCTION) wherein at least 
some of said subsequent round keys are generated 
according to the relation K(i+l)=FUNCTION(K(i))DK 
(i-1), wherein 

K(i+1) is the (i+l)-th round key, 
K(i-1) is the (i-l)-th round key, 
K(i) is the i-th round key, 
and 

□ represents a first logical operation that combines 
FUNCTION(K(i)) and K(i-1). 

22. The method of claim 21, wherein the first logical 
operation □ is one of an exclusive-OR operation and 
modular addition. 

23. The method of claim 22, wherein the key-generating 
function (FUNCTION) performs steps including: 
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(e) breaking input data into sub-blocks, Q(j); 

(f) combining sub-blocks using second and third logical 
operations to generate intermediate sub-blocks, T(j); 

(g) combining the result of step (f) with a number having 
a random sequence of bits using a fourth logical 
operation; and 

(h) permuting the result of step (g). 

24. The method of claim 23, wherein the combining in 
step (f) generates intermediate sub-blocks, T(j), according to 

1 the relation T(j)=Q(j)OT(j-l), wherein 

0 represents either of the second and third logical 
operations, and wherein j>l. 

25. The method of claim 24, wherein the second, third, 
and fourth logical operations are selected from the group 
consisting of exclusive-OR and modular addition. 

26. The method of claim 25, wherein said permuting in 
step (h) comprises rotating by a predetermined number of 
bits. 

***** 
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ABSTRACT 



The present invention provides a technique, system, and 
computer program for a symmetric key block cipher. Vari- 
able block sizes and key sizes are supported, as well as a 
variable number of rounds. The cipher uses multiple stages 
of processing, where the stages have different structures and 
different subround functions, to provide excellent resistance 
to both linear and differential attacks. Feistel Type-1 and 
Type-3 are both used, each during different stages. The 
number of rounds may vary among stages. Subkeys are used 
in some, but not all, stages. The variable-length keys can be 
precomputed. A novel manner of using data -dependent 
rotation in a cipher is defined. 

25 Claims, 9 Drawing Sheets 



The general structure of the encryption operation 



plaintext words: D[0] D[1] D[2] D[3] 
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Stage 1: key addition 



Stage 2: mixing 



Stage 3: core 



Stage 4: mixing 



Stage 5: key addition 



r1 rounds of unkeyed mixing 
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r2 rounds of keyed transformation 
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r1 rounds of unkeyed mixing 



ciphertext words: c[0] c[1J c[2) c[3] 
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-continued 
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DfO] = IROTWTE (D[0], D[lL w); 
D[l) - D[3J 
D[0] -D[l]; 

D[l] -=» E[n--t /' 
D[l] - I ROTATE (D[ll DJ7], w); 
D[l] "-D12J; 
} 



begin subround 4*/ 
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As will be understood by one skilled in the art, this "C" 
language code specifies the processing for 2 rounds. The first 
set of statements is used for an even-numbered round, and 
the second set of statements is used for an odd-numbered 
round. As previously indicated, these statements correspond 15 
to the diagrams shown for encryption in FIGS. 6B and 6 A, 
respectively, if those diagrams are read from the bottom up, 
addition is changed to subtraction, and left rotation is 
changed to right rotation. 

The stage begins by first initializing the subkey index, to 
point to the last subkey from a group of 8 subkeys that were 
used during encryption for one iteration through the Stage 3 
processing. Then processing for an even-numbered round of 
decryption begins, and that subkey value is subtracted from 
D[3]. The subkey index is decremented. Then, D[3] is 
rotated to the right, where the amount of rotation is deter- 
mined using the value in D[l]. Next, the value of D[0] is 
subtracted from D[l]. Finally, this subround performs an 
exclusive OR operation, where the two operands are the data 
words D[2] and D[3]. The result becomes the new value of 
D[3]. 

In the second subround, the next-preceding subkey (that 
is, the one indexed by the previously-decremented value) is 
subtracted from D[2], and the index is again decremented 
The new value of D[2] is then rotated to the right, with the 35 
amount of rotation again specified by the value in D[l]. The 
value in D[3] is then subtracted from D[l]. Finally, D[0] is 
exclusive OR'd with D[2], forming a new value for D[2]. 

The third and fourth sub rounds for the even-numbered 
rounds are similar. In the third subround, the next preceding 40 
subkey is subtracted from D[0]; D[0] is rotated to the right 
by the amount indicated by D[l]; D[2] is subtracted from 
D[l]; and D[l] is exclusive OR'd with D[0], forming a new 
D[0]. In the fourth subround, the next preceding subkey is 
subtracted from D[l]; D[l] is rotated 7 positions to the right; 45 
and D[3] is exclusive OR'd with D[l], forming a new value 
for D[l]. 

By the end of this even -numbered round, all of the data 
words have been rotated, the value of each data word has 
impacted a rotation operation, each data word has been 50 
exclusive OR'd with another data word, and each data word 
has a new value. 

For an odd-numbered round, the processing is similar to 
that just described for even rounds. The only difference is the 
order in which the different data words are used by the 55 
operations, as shown by the "C" language statements. 

While the preferred embodiment of the present invention 
has been described, additional variations and modifications 
in that embodiment may occur to those skilled in the art once 
they learn of the basic inventive concepts. Therefore, it is 60 
intended that the appended claims shall be construed to 
include both the preferred embodiment and all such varia- 
tions and modifications as fall within the spirit and scope of 
the invention. 

We claim: 65 
1. A method of carrying out a symmetric key block cipher 
using multiple stages, comprising the steps of: 



performing a first simple arithmetic operation in a first 
stage; 

performing a Type-3 Feistel unkeyed mixing operation in 
a second stage; 

performing a Type-1 Feistel keyed data-dependent rota- 
tion transform in a third stage, wherein a fixed location 
is used to specify an amount of the data-dependent 
rotation for each of a plurality of rounds of the third 
stage; 

performing a Type-3 Feistel unkeyed inverse mixing 
operation in a fourth stage; and 

performing a second simple arithmetic operation in a fifth 
stage, wherein the first simple arithmetic operation and 
the second simple arithmetic operation may be identi- 
cal. 

2. The method according to claim 1, wherein one or more 
of the steps is embodied in a hardware chip. 

3. The method according to claim 1, wherein: 

the first simple arithmetic operation is one of (1) an 

addition operation, (2) a subtraction operation, or (3) an 

exclusive OR operation; and 
the second simple arithmetic operation is one of (1) the 

addition operation, (2) the subtraction operation, or (3) 

the exclusive OR operation. 

4. The method according to claim 3, wherein operands of 
the first and second simple arithmetic operations are a word 
being used to encipher a selected data block and a generated 
key value which has a length identical to that of the word. 

5. The method according to claim 1, wherein a plurality 
of first feedback operations are performed between distinct 
rounds of the Type-3 Feistel unkeyed mixing operation, and 
a plurality of second feedback operations are performed 
between distinct rounds of the Type-3 Feistel unkeyed 
inverse mixing operation. 

6. The method according to claim 5, wherein the first 
feedback operation is an addition operation and the second 
feedback operation is a subtraction operation. 

7. The method according to claim 1, wherein the Type-3 
Feistel unkeyed mixing operation and the Type-3 Feistel 
unkeyed inverse mixing operation retrieve values from 2 
substitution boxes. 

8. The method according to claim 1, wherein a round 
function used in each of a plurality of subrounds of the 
plurality of rounds of the third stage for the Type-1 Feistel 
keyed data-dependent rotation transform comprises the steps 
of: 

performing an exclusive OR operation using two selected 
ones of a plurality of words from a block being 
enciphered, wherein one of the two selected ones is a 
word being transformed by a current one of the sub- 
rounds; 

adding, except in an initial even-numbered one of the 
plurality of subrounds and an initial odd-numbered one 
of the plurality of subrounds, a round-specific one of 
the plurality of words to a predetermined one of the 
plurality, wherein the predetermined one stays constant 
throughout all of the plurality of subrounds for all of the 
plurality of rounds; and 

performing the data-dependent rotation operation on the 
word being transformed, using the predetermined one 
as the fixed location to specify the amount of the 
data-dependent rotation operation, except in the initial 
even-numbered and initial odd-numbered subrounds 
which use a fixed value for the amount. 

9. The method according to claim 1, wherein the cipher 
supports a variable number of rounds in at least one of the 
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stages, a variable length of generated key values to be used 
with the cipher in at least the Type-1 Feistel keyed data- 
dependent rotation transform, and a variable length of input 
blocks to be enciphered. 

10. A system for carrying out a symmetric key block 
cipher using multiple stages on a computer, comprising: 

means for performing a first simple arithmetic operation 
in a first stage; 

means for performing a Type-3 Feistel unkeyed mixing 
operation in a second stage; 

means for performing a Type-1 Feistel keyed data- 
dependent rotation transform in a third stage, wherein 
a fixed location is used to specify an amount of the 
data-dependent rotation for each of a plurality of 
rounds of the third stage, 

means for performing a Type-3 Feistel unkeyed inverse 
mixing operation in a fourth stage; and 

means for performing a second simple arithmetic opera- 
tion in a fifth stage, wherein the first simple arithmetic 
operation and the second simple arithmetic operation 
may be identical. 

11. The system according to claim 10, wherein: 

the first simple arithmetic operation is one of (1) an 

addition operation, (2) a subtraction operation, or (3) an 

exclusive OR operation; and 
the second simple arithmetic operation is one of (1) the 

addition operation, (2) the subtraction operation, or (3) 

the exclusive OR operation. 

12. The system according to claim 11, wherein operands 
of the first and second simple arithmetic operations are a 
word being used to encipher a selected data block and a 
generated key value which has a length identical to that of 
the word. 

13. The system according to claim 10, wherein a plurality 
of first feedback operations are performed between distinct 
rounds of the Type-3 Feistel unkeyed mixing operation, and 
a plurality of second feedback operations are performed 
between distinct rounds of the Type-3 Feistel unkeyed 
inverse mixing operation. 

14. The system according to claim 13, wherein the first 
feedback operation is an addition operation and the second 
feedback operation is a subtraction operation. 

15. The system according to claim 10, wherein the Type-3 
Feistel unkeyed mixing operation and the Type-3 Feistel 
unkeyed inverse mixing operation retrieve values from 2 
substitution boxes. 

16. The system according to claim 10, wherein a round 
function used in each of a plurality of subrounds of the 
plurality of rounds of the third stage for the Type-1 Feistel 
keyed data-dependent rotation transform comprises: 

means for performing an exclusive OR operation using 
two selected ones of a plurality of words from a block 
being enciphered, wherein one of the two selected ones 
is a word being transformed by a current one of the 
subrounds; 

means for adding, except in an initial even -numbered one 
of the plurality of subrounds and an initial odd- 
numbered one of the plurality of subrounds, a round- 
specific one of the plurality of words to a predeter- 
mined one of the plurality, wherein the predetermined 
one stays constant throughout all of the plurality of 
subrounds for all of the plurality of rounds; and 

means for performing the data-dependent rotation opera- 
tion on the word being transformed, using the prede- 
termined one as the fixed location to specify the amount 
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of the data-dependent rotation operation, except in the 
initial even-numbered and initial odd-numbered sub- 
rounds which use a fixed value for the amount. 

17. The system according to claim 10, wherein the cipher 
5 supports a variable number of rounds in at least one of the 

stages, a variable length of generated key values to be used 
with the cipher in at least the Type-1 Feistel keyed data- 
dependent rotation transform, and a variable length of input 
blocks to be enciphered. 

18. A computer program product for carrying out a 
symmetric key block cipher using multiple stages on a 
computer, the computer program product embodied in a 
computer-readable medium and comprising: 

35 computer-readable program code means for performing a 
first simple arithmetic operation in a first stage; 
computer-readable program code means for performing a 
Type-3 Feistel unkeyed mixing operation in a second 
stage; 

20 

computer-readable program code means for performing a 
Type-1 Feistel keyed data-dependent rotation transform 
in a third stage, wherein a fixed location is used to 
specify an amount of the data-dependent rotation for 
25 each of a plurality of rounds of the third stage; 

computer-readable program code means for performing a 
Type-3 Feistel unkeyed inverse mixing operation in a 
fourth stage; and 

computer-readable program code means for performing a 
30 second simple arithmetic operation in a fifth stage, 
wherein the first simple arithmetic operation and the 
second simple arithmetic operation may be identical. 

19. The computer program product according to claim 18, 
wherein: 

35 

the first simple arithmetic operation is one of (1) an 
addition operation, (2) a subtraction operation, or (3) an 
exclusive OR operation; and 

the second simple arithmetic operation is one of (1) the 
40 addition operation, (2) the subtraction operation, or (3) 
the exclusive OR operation. 

20. The computer program product according to claim 19, 
wherein operands of the first and second simple arithmetic 
operations are a word being used to encipher a selected data 

45 block and a generated key value which has a length identical 
to that of the word. 

21. The computer program product according to claim 18, 
wherein a plurality of first feedback operations are per- 
formed between distinct rounds of the Type-3 Feistel 

50 unkeyed mixing operation, and a plurality of second feed- 
back operations are performed between distinct rounds of 
the Type-3 Feistel unkeyed inverse mixing operation. 

22. The computer program product according to claim 21, 
wherein the first feedback operation is an addition operation 

55 and the second feedback operation is a subtraction opera- 
tion. 

23. The computer program product according to claim 18, 
wherein the Type-3 Feistel unkeyed mixing operation and 
the Type-3 Feistel unkeyed inverse mixing operation 

60 retrieve values from 2 substitution boxes. 

24. The computer program product according to claim 18, 
wherein a round function used in each of a plurality of 
subrounds of the plurality of rounds of the third stage for the 
Typc-1 Feistel keyed data-dependent rotation transform 

65 comprises: 

computer-readable program code means for performing 
an exclusive OR operation using two selected ones of 
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a plurality of words from a block being enciphered, 
wherein one of the two selected ones is a word being 
transformed by a current one of the subrounds; 

computer-readable program code means for adding, 
except in an initial even-numbered one of the plurality 5 
of subrounds and an initial odd-numbered one of the 
plurality of subrounds, a round-specific one of the 
plurality of words to a predetermined one of the 
plurality, wherein the predetermined one stays constant 
throughout all of the plurality of subrounds for all of the 10 
plurality of rounds; and 

computer- readable program code means for performing 
the data-dependent rotation operation on the word 
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being transformed, using the predetermined one as the 
fixed location to specify the amount of the data- 
dependent rotation operation, except in the initial even- 
numbered and initial odd-numbered subrounds which 
use a fixed value for the amount. 
25. The computer program product according to claim 18, 
wherein the cipher supports a variable number of rounds in 
at least one of the stages, a variable length of generated key 
values to be used with the cipher in at least the Type-1 
Feistel keyed data-dependent rotation transform, and a vari- 
able length of input blocks to be enciphered. 

***** 



1/19/2006, EAST Version: 2.0.1.4 



28/3,K/30 (Item 30 from file: 350) 

DIALOG (R) File 350:Derwent WPIX 

(c) 2006 Thomson Derwent . All rts. reserv. 

014028614 **Image available** 
WPI Acc No: 2001-512828/200156 
XRPX Acc No: N01-379684 

Encrypting input file containing number of blocks using symmetric key 

block cipher having odd number of stages has simple arithmetic operation 

performed in first even number of stages 
Patent Assignee: INT BUSINESS MACHINES CORP (IBMC ) 

Inventor: COPPERSMITH D; GENNARO R; HALEVI S; JUT LA C S; MATYAS S M; 

O'CONNOR L J; PEYRAVIAN M; SAFFORD D R; ZUNIC N 
Number of Countries: 001 Number of Patents: 001 
Patent Family: 

Patent No Kind Date Applicat No Kind Date Week 

US 6185304 Bl 20010206 US 9827765 A 19980223 200156 B 

Priority Applications (No Type Date) : US 9827765 A 19980223 
Patent Details: 

Patent No Kind Lan Pg Main IPC Filing Notes 
US 6185304 Bl 23 H04K-001/00 

Encrypting input file containing number of blocks using symmetric key 

block cipher having odd number of stages has simple arithmetic operation 

performed in first even number of stages 

Abstract (Basic) : 

... A simple arithmetic operation is performed in a first even 

number of stages; in a second even number of stages performing an 
identical number of: (1) Type-3 Feistel unkeyed mixing... 

...4) and (2) Type-3 Feistel unkeyed inverse mixing operation which 

retrieve values from 2 substitution boxes . The first and second 
even numbers can be identical; and a Type-3 Feistel keyed transform in 
a remaining. . . 

For a symmetric key block cipher, which uses multiple stages, 
where the stages have different structures and different subround 
functions. The cipher allows the block size, key size, and number of 
rounds per . . . 

...Provides a flexible symmetric block cipher which offers excellent 

resistance to linear and differential attacks; operates quickly and 
efficiently while using S - boxes ; uses multiplication in a fast and 
efficient round function because of using an algebraic ring. . . 

...per stage. The data-independent subkeys can be precomputed, further 
minimizing the time required for encryption and decryption and a 
minimal amount of computer storage is required for data used in the 
operation. . . 

...The figure shows the stages of operation used for encrypting a block 

of plain text into a block of cipher text... 
...Title Terms: FIRST ; 

International Patent Class (Main) : H04K-001/00 
Manual Codes (EPI/S-X) : T01-D01 ... 

. . . T01-E02D . . . 



T01-S01B 



. . . T01-S03 . . . 
. . . W01-A05A 



luiiiiiiuiiiiniiiiiiiiiiu 

US006185304B1 

(12) United States Patent m Patent No.: us 6,185,304 Bi 

Coppersmith et al. (45) Date of Patent: Feb. 6, 2001 



(54) METHOD AND APPARATUS FOR A 

SYMMETRIC BLOCK CIPHER USING 
MULTIPLE STAGES 

(75) Inventors: Don Coppersmith, Ossining; Rosario 
Gennaro, New York; Shai Halevi, 
Heartsdale; Charanjit S. Jutla, 
Elmsford, all of NY (US); Stephen M. 
Matyas, Jr., Manassas, VA (US); Luke 
James O'Connor, Adliswil (CH); 
Mohammed Peyravian, Cary, NC 
(US); David Robert Safford, Brewster; 
Nevenko Zunic, Wappingers Falls, both 
of NY (US) 

(73) Assignee: International Business Machines 
Corporation, Armonk, NY (US) 

( * ) Notice: Under 35 U.S.C 154(b), the term of this 
patent shall be extended for 0 days. 



Matthew Kwan, The Design of the ICE encrytpion Algo- 
rithm, Proceeding of Fast Software, 1997.* 

B. Schneier, Description of a New Variable-Length Key, 
64-Bit Block Cipher (Bowfish), Dec. 1993.* 

Y. Zheng, On the Construction of Block Ciphers Provably 
Secure and Not Relying on Any Unproved Hypotheses, 
1989.* 

B. Schneier, et. al., Unbalanced Feistel Networks an 
Block-Cipher Design, 1996.* 

B. Schneier, Applied Cryptography, 2e, John Wiley pp. 193, 
198-201, 347, 1995.* 

Adina Di Porto, Vino: A Block Cipher including Variable 
Permutations, 1993.* 

* cited by examiner 



(21) Appl. No.: 09/027,765 

(22) Filed: Feb. 23, 1998 

(51) Int. CI. 7 H04K 1/00 

(52) U.S. CI 380/37; 380/259 

(58) Field of Search 380/28, 29, 37, 

380/42 

(56) References Cited 

U.S. PATENT DOCUMENTS 

4,157,454 * 6/1979 Becker 178/22 

5,511,123 * 4/1996 Adams 380/29 

5,724,428 * 3/1998 Rivest 380/28 

OTHER PUBLICATIONS 

Even and Goldreich, On The Power of Cascade Ciphers, 
1983.* 

John Savard, Cypto Compendium, httpo://home 
ecn.ab.ca/~jsavard/crypto/co041203.htm, 1998,* 



Primary Examiner — Gail O. Hayes 
Assistant Examiner — James Seal 

(74) Attorney, Agent, or Finn — Jeanine S. Ray-Yarletts; 
Marcia L. Doubet 



(57) 



ABSTRACT 



The present invention provides a technique, system, and 
computer program for a symmetric key block cipher. Vari- 
able block sizes and key sizes are supported, as well as a 
variable number of rounds. The cipher uses multiple stages 
of processing, where the stages have different structures and 
different subround functions, to provide excellent resistance 
to both linear and differential attacks. Feistel Type-3 net- 
works are used, with different networks during different 
stages. The number of rounds may vary among stages. 
Subkeys are used in some, but not all, stages. The variable - 
length keys can be precomputed. A novel manner of using 
multiplication in a cipher is defined. 
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stored in tempi, temp2, and temp3, are used to modify the 6. The method according to claim 5, wherein operands of 

other 3 data words. These three statements are inverted from the first and second simple arithmetic operations are a word 

their corresponding encryption statement. Note that since being used to encipher a selected data block and a generated 

the statements are independent of one another, the order of key value which has a length identical to that of the word, 

the three statements has not been inverted herein. 5 7. The method according to claim 3, wherein a plurality 

Alternatively, the order could be inverted, without changing of first feedback operations are performed between distinct 

the functioning of the statements. The data word passed as rounds of the Type-3 Feistel unkeyed mixing operation, and 

the first of these 3 input parameters, D[outl], is modified by a plurality of second feedback operations are performed 

having the value in tempi subtracted from it. The data word between distinct rounds of the Type-3 Feistel unkeyed 

passed as the second of these 3 parameters, D[out2], is inverse mixing operation. 

modified by being exclusive OR'd with the value in temp2. 1 8. The method according to claim 7, wherein the first 

The data word passed as the third of these 3 parameters, feedback operation is an addition operation and the second 

D[out3], is modified by having the value in temp3 subtracted feedback operation is a subtraction operation. 

from it. The processing of the inverseSubRound function is 9. The method according to claim 3, wherein the Type-3 

now complete for this subround. All other subrounds are Feistel unkeyed mixing operation and the Type-3 Feistel 

processed in an identical manner. " unkeyed mverse mixi operation retrieve values from 2 

While the preferred embodiment of the present invention substitution boxes 

has been described, additional variations and modifications 1ft tk« mo twi * ^ m ? u * ^ 

/ t t , 1 .»» 1 ■ 1 10. Ine method according to claim 3, wherein a round 

m that embodiment may occur to those skilled in the art once Alr _ t - r . r , . , c 

they learn of the basic inventive concepts. Therefore, it is ? mct ™ ° f ,he Type " 3 ,ransf ° rm composes a 

intended that the appended claims shall be construed to 20 forw^ function using (1) an integer multiphcation modulo 

include both the preferred embodiment and all such varia- } operat.on with a generated key value, where x is a bit 

lions and modifications as fall within the spirit and scope of ^ ° f \ WOrd frora a bl ° ckbeul g enciphered, and (2) a 

the invention. data-dependent rotation operation. 

We claim- '^ ne me,noa ' according to claim 3, wherein the cipher 

1. A method of encrypting an input file comprising a 25 ^pports a variable number of rounds in at least one of the 

plurality of blocks using a symmetric key block cipher Sta f S ' a Vanable len S th values to be used 

having an odd number of stages, wherein the odd number is Wlt \ ,he C, Pf r ln at u ea f th u e ^P^ kev « d 

at least 5, comprising the steps of: transform and a variable length of input blocks to be 

... enciphered, 

performing a simple arithmetic operation in a first even -.X A , e ■ . . • 1 L , , 

number of the stages; 30 - 12 " s y s,em for carrv,n 8 om a ^^tric key block 



cipher using multiple stages, comprising: 



performing, in a second even number of the stages, an ™™ <u e • • i **u 

identical number of: (1) a Type-3 Feistel unkeyed ""J™ P erformin S a slm P le a » thmctlc °P" a »°° >» » 

mixing operation and (2) a Type-3 Feistel unkeyed c c - ^ ->^-t , ^ ■ ■ 

inverse mixing operation, wherein the first even num- means for P erforrain § a Tv P e " 3 Fe * te * unkeyed mixing 

ber and the second even number may be identical; and 35 operation in a second stage; 

performing a Type-3 Feistel keyed transform in a remain- means for performing a Type-3 Feistel keyed transform in 

ing number of the stages. a third sta S e; 

2. The method according to claim 1, wherein the stages in means for P erformm S a Tv P e -3 Feistel unkeyed inverse 
a first half of the first even number and of the second even mixin & operation in a fourth stage; and 

number are performed during a first half of the odd number 40 means for performing the simple arithmetic operation in 

of stages, and the stages in a second half of the first even a ^^ tn sta ge. 

number and of the second even number are performed 13 ^ s Y st em according to claim 12, wherein the simple 

during a second half of the odd number of stages. arithmetic operation is one of (1) an addition operation, (2) 

3. A method of carrying out a symmetric key block cipher a subtraction operation, or (3) an exclusive OR operation, 
using multiple stages, comprising the steps of: 45 14 ^ system according to claim 13, wherein operands 

performing a first simple arithmetic operation in a first of the sim P le arithmetic operation arc a word being used to 

stage- encipher a selected data block and a generated key value 

performing a Type-3 Feistel unkeyed mixing operation in wh ?f *?* a len S th ide " tical to J hat of the word. 

a second stage- system according to claim 12, wherein a plurality 

~ t ' i I? • 4 i i j + c ^ ^ 50 of first feedback operations are performed between distinct 

performing a Type-3 Feistel keyed transform in a third j„f*u t -a c • * i i j • • j 

stage- rounds of the Type-3 Feistel unkeyed mixing operation, and 

_r . , . a plurality of second feedback operations are performed 

performing a Type-3 Feistel unkeyed inverse mixing between dislinct rounds of the T 3 FeisteJ unk , 

operation in a fourth stage; and inverse mixing operatioDt 

performing a second simple arithmetic operation in a fifth 55 i 6 . The system according to claim 15, wherein the first 

stage, wherein the first simple arithmetic operation and feedback operation is an addition operation and the second 

the second simple arithmetic operation may be identi- feedback operation is a subtraction operation. 

c 5|" 17. The system according to claim 12, wherein the Type-3 

4. rbe method according to claim 3, wherein one or more Feistel unkeyed mixing operation and the Type-3 Feistel 
of thesteps is embodied m a hardware chip. 60 unkeycd invcrse mixing operation retrieve values from 2 

5. The method according to claim 3, wherein: substitution boxes. 

the first simple arithmetic operation is one of (1) an 18. The system according to claim 12, wherein a round 

addition operation, (2) a subtraction operation, or (3) an function of the Type-3 Feistel keyed transform comprises a 

exclusive OR operation; and forward function using (1) an integer multiplication modulo 

the second simple arithmetic operation is one of (1) the 65 2* operation with a generated key value, where x is a bit 

addition operation, (2) the subtraction operation, or (3) length of a word from a block being enciphered, and (2) a 

the exclusive OR operation. data-dependent rotation operation. 
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19. The system according to claim 12, wherein the cipher 24. The computer program product according to claim 21, 
supports a variable number of rounds in at least one of the wherein a plurality of first feedback operations are per- 
stages, a variable length of generated key values to be used formed between distinct rounds of the Type-3 Feistel 
with the cipher in at least the Type-3 Feistel keyed un keyed mixing operation, and a plurahtv of second feed- 
transform and a variable length of input blocks to be 5 back tions m formed between rounds of 
enciphered. L , 

20. The system according to claim 12, wherein one or lh< L I VPf" 3 Feistel mverse mixm S °P«*t™. 
more of the means is embodied in a hardware chip. 2S - nc computer program product according to claim 24, 

21. A computer program product for carrying out a wherein the first feedback operation is an addition operation 
symmetric key block cipher using multiple stages with a and the second feedback operation is a subtraction opera- 
computer, the computer program product embodied on a tion. 

computer-readable medium and comprising: 26. The computer program product according to claim 21, 

computer-readable program code means for performing a wherein the Type-3 Feistel unkeyed mixing operation and 

simple arithmetic operation in a first stage; the Type-3 Feistel unkeyed inverse mixing operation 

computer-readable program code means for performing a retrieve values from 2 substitution boxes. 

Type-3 Feistel unkeyed mixing operation in a second 2 7. The computer program product according to claim 21, 

stage, wherein a round function of the Type-3 Feistel keyed 

computer-readable program code means for performing a Uansform CQm ^ a forward fa ^ ^ (1) aQ { 

Type-3 Feistel keyed transform m a third stage, u - .. < , « • • L „ , 

, j .i j c J ■ • multiplication modulo 2 operation with a generated key 

computer-readable program code means for performing a , , . ... * e . , , . . 

Type-3 Feistel unkeyed inverse mixing operation a 20 value ' wh ^ re ^^ bn length of a word from a block being 

fourth stage; and enciphered, and (2) a data-dependent rotation operation, 

computer-readable program code means for performing 28 ' °°*P»ter program product according to claim 21, 

the simple arithmetic operation in a fifth stage. wherein the cipher supports a variable number of rounds in 

22. The computer program product according to claim 21, at least one of the stages, a variable length of generated key 
wherein the simple arithmetic operation is one of (1) an 25 values to be used with the cipher in at least the Type-3 
addition operation, (2) a subtraction operation, or (3) an Feistel keyed transform, and a variable length of input 
exclusive OR operation. blocks to be enciphered. 

23. The computer program product according to claim 22, 29. The computer program product according to claim 21, 
wherein operands of the simple arithmetic operation are a wherein one or more of the computer-readable program code 
word being used to encipher a selected data block and a 30 means is embodied in a hardware chip. 

generated key value which has a length identical to that of 

the word. ***** 
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Set Items Description 

51 51158 (DIGITAL? OR MULTIMEDIA?) () (GOOD? OR PRODUCT? OR ENTIT? OR 

MODULE? OR UNIT? OR DEVICE?) OR MPEG? ? OR MP3? ? 

52 2132595 SOFTWARE? OR NONSOFTWARE? OR DVD? ? OR CDROM? OR CD()ROM? 

OR DISK? OR DISC? ? OR FLOPPY? OR FLOPPIE? 

53 3906 (AUDIO? (ION) VIDEO?) (2N) (DATA? OR GOOD? OR PRODUCT? OR MODU 
LE? OR ENTIT? OR UNIT? OR DEVICE?) 

54 1919 SBOX? OR S() (BOX OR BOXES) 

55 4 RIJNDAELSBOX? OR S ( ) FUNCTION? ( ) (BOX OR BOXES) 

56 0 (SOFTWARE? OR SOFT () WARE?) () USAGE? () MONITOR? ( ) (BOX OR BOXE 

S) OR SUBSTITUT? () FUNCTION? () (BOX OR BOXES) 

57 14 9 SUBSTITUTION? () (LOOKUP OR LOOK? () UP) () TABLE? OR SUBSTITUT? 

()LUT? ? OR SUBSTITUT? () (BOX OR BOXES) 

58 0 RANDOM? () SUBSTITUT? () (LUT? ? OR BOX OR BOXES OR TABLE?) 

1T9 5605088 PARTITION? OR PART? ? OR PARTIAL? OR SEGMENT? OR DIVISION? 

510 2079963 PARCEL? OR PIECE? OR CHUNK? OR FRACTION? OR SLICE? OR DIVI 

D? 

511 23215 05 SECTION? OR SECTOR? OR PORTION? OR APPORTION? OR SECTOR? 
^T2 9333243 FIRST? OR 1ST OR PRIMARY OR INITIAL? OR ORIGINAL? OR LEADO 

FF? OR MAIN OR CHIEF OR INTRODUCTORY? OR MASTER? 

513 82224 6 SUBSTITUT? OR PROXIE? OR PROXY? OR STANDIN OR STANDINS OR 
, . STAND? ( ) IN 

514 14541498 SECOND? OR 2ND OR DOUBL? OR TWIN? OR EXTRA? OR ANOTHER OR 
. SUBSIDIAR? OR AUXILIAR? OR DIFFERENT? OR ALTERNAT? OR SLAVE? 

515 244213 ENCRYPT? OR ENCIPHER? OR ENCYPHER? OR SCRAMBL? OR HASH? OR 

CRYPT? OR ENSCRAMBL? 

516 15300 DECRYPT? OR DECIPHER? OR DECYPHER? OR DESCRAMBL? OR DEHASH 
OR UNSCRAMBL? OR UNENCRYPT? 

517 0 IC=(H04K? OR H04L?) 

S18 0 MC=(T01? OR W01? OR W04?) 

"ST9 ~~13 S1:S3 AND S4:S8 AND S9:S11 AND S15:S16 

520 2 S19 AND S12 : S14 (7N) (SI : S3 OR S9:S11) 

521 13 S19:S20 

522 6 S21 AND PY<2001 
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03759854 E.I. No: EIP93111136658 

Title: More efficient software implementations of (generalized) DES 

Author: Pfitzmann, Andreas; Assmann, Ralf 

Corporate Source: Universitat Hildesheim, Hildesheim, Ger 

Source: Computers & Security v 12 n 5 Aug 1993. p 477-500 

Publication Year: 1993 

CODEN: CPSEDU ISSN: 0167-4048 

Language : English 

Title: More efficient software implementations of (generalized) DES 

Abstract: This paper serves two purposes: we present some generalizations 
of the Data Encryption Standard (DES), and explain how to efficiently 
implement DES and its generalization in software . By preserving the macro 
structure of DES, but by allowing the user to choose (1... 

...main memories, the big table is split into smaller ones that permute 
disjoint and compact parts of the input bits at the appropriate 
positions. To compute an entry in the big... 

. . .G-DES, it does not seem to make sense to implement anything more narrow 
in software than G-DES with non— arbitrary E. Using these techniques, we 
get by far the fastest software implementations of DES (more specifically 
G-DES with non-arbitrary E) and G-DES known. . . 

...and 24%. To avoid unnecessary IP and IP** minus **1 executions, and to 
enable multiple encryption in all modes of operation, our implementation 
supports multiple encryption . Our table implementation makes it possible 
to save key EORing (Exclusive OR equals bitwise addition. . . 

...Memory requirements can be reduced by not copying bits which are input 
to one combined S - box . (Author abstract) 4 7 Refs. 

Descriptors: ^Cryptography ; Standards; Computer software ; Security of 
data; Data handling; Function evaluation; Computer programming languages 

Identifiers: Authentication; Software implementation of Data 
Encryption Standard; Generalizations of DES; Modes of operation; Multiple 
encryption ; Implementation of permutations in assembly language; 
Concatenations 
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04690855 JICST ACCESSION NUMBER: 00A1007048 FILE SEGMENT: JICST-E 
A Revised Nested SPN Cipher. 

OKUMA KENJI (1); MURATANI HIROFUMI (1); MOTOYAMA MASAHIKO (1); KAWAMURA 

SHIN'ICHI (1); SANO FUMIHIKO (2) 
(1) Toshiba Corp.; (2) Toshiba Sigikaise 

Joho Shori Gakkai Kenkyu Hokoku, 2000 , VOL . 2000 , NO . 80 (CSEC-11 ) , 

PAGE. 37-42, TBL.7 
JOURNAL NUMBER: Z0031BAO ISSN NO: 0919-6072 

UNIVERSAL DECIMAL CLASSIFICATION: 621.391.037.3 681.3.02-759 
LANGUAGE: Japanese COUNTRY OF PUBLICATION: Japan 

DOCUMENT TYPE: Journal 
ARTICLE TYPE: Original paper 
MEDIA TYPE: Printed Publication 



, 2000 

...ABSTRACT: Type-I and Type-II based on a nested SPN strucuture where the 
upper-level S - box consists of the lower-level SP network 
hierarchically. The key scheduling parts are designed on a 256-bit 
modified Feistel structure. This paper proposes an improved version... 

DESCRIPTORS: cryptogram ; 

...BROADER DESCRIPTORS: software ; 
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Special issue on cryptography and information security. 
Superdistribution: The concept and the architecture. 

MORI R (1); KAWAHARA M (1) 

(1) Univ. Tsukuba, Tsukuba-shi, JPN 

Trans Inst Electron Inf Commun Eng E, 1990 , VOL. 73, NO. 7, PAGE . 1133-114 6, 

FIG. 10, TBL.l, REF.ll 
JOURNAL NUMBER: F0699BBZ ISSN NO: 0387-236X 
UNIVERSAL DECIMAL CLASSIFICATION: 681.3.02-759 
LANGUAGE: English COUNTRY OF PUBLICATION: Japan 

DOCUMENT TYPE: Journal 
ARTICLE TYPE: Original paper 
MEDIA TYPE: Printed Publication 

Special issue on cryptography and information security. 

Superdistribution: The concept and the architecture. 
, 1990 

ABSTRACT: Superdistribution is an approach to distributing software in 
which software is made available freely and without restriction but 
is peotected from modifications and modes of usage not authorized by 
its vendor. By eliminating the need of software vendors to protect 
their products against piracy through copy protection and similar 
measures, superdistribution promotes unrestricted distribution of 
software . The superdistribution architecture we have developed 
provides three principal functions: administrative arrangements for 
collecting accounting information on software usage and fees for 
software usage; a accounting process that records and accumulates 
usage charges, payments, and the allocation of usage charges among 
different software vendors; and a defense mechanism, utilizing 
digitally protected modules, that protects the system against 
interference with its proper operation. Superdistribution software is 
distributed over public channels in encryped form. In order to 
participate in superdistribution, a computer must be equipped with an 
S - box - a digitally protected module containing microprocessors, 
RAM, ROM, and a real-time clock. The S - box preserves secret 
information such as a de cipher ingkey and manages the proprietary 
aspects of the superdistribution system. A Software Usage Monitor 
insures the intergrity of the system and keeps track of accounting 
information. The S - box can be realized as a digitally protected 
module in the form of a three-dimensional... 

...DESCRIPTORS: software ; ... 

. . . cryptogram ; 

...BROADER DESCRIPTORS: electric apparatus and parts ; ... 



parts ; 
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Improving linear cryptanalysis of LOKI91 by Probabilistic counting 
method 

FSE '97 : fast software encryption : Haifa, January 20-22, 1997 

SAKURAI K; FURUYA S 
BIHAM Eli, ed 

Department of Computer Science and Communication Engineering, Kyushu 
University, Hakozaki, Higashi-ku, Fukuoka 812-81, Japan 

Fast software encryption. International workshop, 4 (Haifa ISR) 
1997-01-20 

Journal: Lecture notes in computer science, 1997 , 1267 114-133 
Language: English 

Copyright (c) 1997 INIST-CNRS. All rights reserved. 

Improving linear cryptanalysis of LOKI91 by Probabilistic counting 
method 

FSE ! 97 : fast software encryption : Haifa, January 20-22, 1997 
1997 

We improve linear cryptanalysis by introducing a technique of 
probabilistic counting into the maximum likelihood stage. In the original 
linear cryptanalysis based on maximum likelihood method with 
deterministic counting, the number of effective key and text bits is a 
multiple of the number of bit involved in the input to some S - box . 
Then, when larger S - boxes are used, 2R-method and even the lR-methods 
can become impractical just because the... 

... ciphers where 2R-method is impractical include LOKI91. We overcome this 
problem by selecting a part of the effective key bits and investigating 
the probabilistic behavior of the remained effective key... 

. . . probability that the approximated formula with unknown inputs equals to 
zero. This extension of linear cryptanalysis make useful for 2R-attack on 
L0KI91, then improves the performance of previous attacks. Furthermore... 

English Descriptors: Software engineering; Search algorithm; 
Cryptography 

French Descriptors: Genie logiciel; Algorithme recherche; Cryptographie 
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On the difficulty of constructing cryptographically strong 
substitution boxes . 

Zhang, Xian-Mo (Department of Mathematics, University of Wollongong, 

Wollongong, NSW 2500, Australia) 
Zheng, Yuliang 

Corporate Source Codes: 5-WLG 
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J.UCS. The Journal of Universal Computer Science, 1996 , 2, no. 3, 



147 — 162 (electronic) . 
Language: English Summary Language: English 
Subfile: MR (Mathematical Reviews) AMS 
Abstract Length: LONG (48 lines) 
Reviewer: Nyberg, Kaisa (Helsinki) 

On the difficulty of constructing cryptographically strong 
substitution boxes . 
1996 , 

...as an extended abstract [J. Seberry, X. M. Zhang and Y. Zheng, in 

Advances in Cryptology CRYPTO '94, (Santa Barbara, CA, 1994), 

383 — 396, Lecture Notes in Comput . Sci., 839, Springer, Berlin, 1994]. 

Two significant recent advances in cryptanalysis , namely the 
differential attack put forward by E. Biham and A. Shamir [J. Cryptology 
4 (1991), no. 1, 3 — 72; MR 93j: 94020] and the linear attack by M. Matsui 

[in Advances in Cryptology EUROCRYPT '93, (Lofthus, 1993), 386 — 397, 

Lecture Notes in Comput. Sci. 765, Springer, Berlin, 1994] have had a 
crucial impact on the design of data encryption algorithms. In the paper 
under review a heuristic measure called ^robustness' 1 is proposed to be 
used for substitution boxes to measure resistance against differential 

cryptanalysis . 

The main part of the paper consists of a study of a particular type 
of $n\times s$ substitution boxes which have a uniformly half-occupied 
difference distribution table (UHODDT) . The authors consider substitution 

boxes with a UHODDT and balanced quadratic components particularly 
appealing. The main result of the paper is to prove that such substitution 
boxesO do not exist if $n$ or $s$ is even. The examples given at the end 



. . .that the assumption that all non-zero linear combinations of the output 
bits of the substitution box are balanced is essential. It is 
misleading not to include this assumption in the statement of Theorem 5. 

Generalising the property of UHODDT the authors consider substitution 
boxes with two-valued difference distribution tables. The right-hand side 
of the first formula on. . . 

...1) (2\sp n-l)$. This error was previously pointed out by Nyberg [in Fast 
Software Encryption , 111 — 130; per revr.], who also first proved 
Theorem 6 in a more general form. In this paper, the reviewer also gives... 

...treatment of various synthesizing methods, which in the paper under 
review are considered only for substitution boxes with UHODDT. 

Finally, it is shown that the difference distribution table of a 
differentially 2-uniform quadratic permutation embodies a Hadamard matrix. 

No examples of substitution boxes with a two-valued but not 
half-occupied difference distribution table are given in this... 

. . .have been readily available by Proposition 3 in a paper by Nyberg [in 

Advances in cryptology EUROCRYPT 1 93 (Lofthus, 1993), 55 — 64, Lecture 

Notes in Comput. Sci., 765, Springer, Berlin, 1994... 

Descriptors: *94A60 -Information and communication, circuits- 
Communication, information- Cryptography (See also 11T71, 68P25) 
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Proceedings of the conference on the theory and applications of 
cryptographic techniques held at the University of California, Santa 
Barbara, Calif., August 11 — 15, 1986. Edited by A. M. Odlyzko. 
Contributors: Odlyzko, A. M. 
Publ: Springer-Verlag, Berlin-New York, 

1987 , xii+489 pp. ISBN: 3-54 0-18047-8 
Series: Lecture Notes in Computer Science, 263. 
Language: English 

Advances in cryptology CRYPTO '86; Conference: Theory and 

applications of cryptographic techniques; Santa Barbara, Calif.,; Lecture 
Notes in Computer Science, 1986 263 

Subfile: MR (Mathematical Reviews) AMS 

Abstract Length: LONG (72 lines) 

Reviewer: Editors 

Advances in cryptology CRYPTO f 86. 

Proceedings of the conference on the theory and applications of 
cryptographic techniques held at the University of California, Santa 
Barbara, Calif., August 11 — 15, 1986. Edited... 

1987 , 

Advances in cryptology CRYPTO '86; Conference: Theory and 
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(57) ABSTRACT 

By providing a unit receiving the input of a set T of bit 
numbers that are obtained by unequally dividing all the bit 
numbers of input data to be given to a computing apparatus, 
a unit outputting a value Ap indicating an existence prob- 
ability of an appropriate linear converting unit correspond- 
ing to a plurality of S boxes of which the input and output 
bit numbers are equivalent to the divided bit numbers, a unit 
determining that an appropriate linear converting unit is 
present when the value of is positive, and a unit forming 
a pseudo MDS matrix as the linear converting unit, com- 
putation is executed using a unit with an excellent data 
diffusion performance as the linear converting unit in SPN 
structure, when the input number is not the same as the 
output number among a plurality of S boxes of the SPN 
structure in an F function. 
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What is claimed is: 

1. A computing apparatus using SPN structure having a 
plurality of S boxes and a linear converting unit in an F 
function, comprising: 

a set of bit numbers inputting unit receiving an input of a 
set T={t 2 , tj, (3 , . . t r } of bit numbers obtained by 
unequally dividing all bit numbers of input data to be 
given to the computing apparatus; and 

a value indicating existence probability of linear convert- 
ing unit outputting unit outputting a value Aj. indicating 
an existence probability of an appropriate linear con- 
verting unit corresponding to a plurality of S boxes of 
which input and output bit numbers are equivalent to 
the divided bit numbers. 

2. The computing apparatus according to claim 1, wherein 
said value indicating existence probability of linear convert- 
ing unit outputting unit comprises a minimum value deter- 
mining unit obtaining a minimum value u k (k~l, 2, . . . , r) 
of a sum of elements of a set formed by selecting optional 
k elements from elements of the set T, and a maximum value 
determining unit obtaining amaximum value v k (k=l, 2, 
3, . . . , r) of a sum of elements of a set formed by selecting 
optional k elements from elements of the set T, wherein 

a value obtained by subtracting a maximum value of k' 
that satisfies u k ^v k .(k'=0, 1, . . . , r, v 0 J)) for a value k, 
from k is set as w k (k=l, 2, . . . , r), and the value Aj, is 
obtained by subtracting a maximum value of w k from 
a value of (r+1). 

3. The computing apparatus according to claim 1, further 
comprising: 

a linear converting unit existence determining unit deter- 
mining whether the vale A T is positive, and determining 
that the appropriate linear converting unit is present 
when the value is positive. 

4. The computing apparatus according to claim 2, further 
comprising: 

a linear converting unit existence determining unit deter- 
mining whether the value A T is positive, and determin- 
ing that the appropriate linear converting unit is present 
when the value is positive. 

5. The computing apparatus according lo claim 3, further 
comprising: 

a pseudo MDS matrix forming unit forming as the linear 
converting unit, a pseudo MDS matrix corresponding 
to an MDS matrix in a case where the bits are unequally 
divided when it is determined that the linear converting 
unit is present. 

6. The computing apparatus according to claim 4, further 
comprising: 

a pseudo MDS matrix forming unit forming as the linear 
converting unit, a pseudo MDS matrix corresponding 
to an MDS matrix in a case where the bits are unequally 
divided when it is determined that the linear converting 
unit is present. 

7. The computing apparatus according to claim 5, wherein 
the pseudo MDS matrix forming unit sets a matrix M of r 
columns and r rows to M-(M ij ) (i=l, 2, . . . , r, j=l, 2, . . . , 
r) while setting as an element a partial matrix My of t ( 
columns and tj rows of which an element is 0 or 1, obtains 
c (e)«e+r-A T +l for each positive number from e«l to 
(A^l), obtains a set T^t^, t i2 , . . . , t ic } formed by 



optionally selecting e elements from elements of the set T 
and a set T 2 ={tj l9 t j2 , ■ • • , t jc<c) } formed by optionally 
selecting c(e) elements from elements of the set T, and 
obtains a matrix M such that a value of a small matrix of an 
optional matrix M corresponding to the set (J lf T 2 ) and a 
value of a rank of a small matrix of an optional matrix M 
corresponding to the set (T 2 , TJ is equal to either a column 
number of a small matrix of the matrix M or a number of 
ranks of a small matrix of a matrix M. 

8. The computing apparatus according to claim 5, wherein 
the pseudo MDS matrix forming unit sets a matrix M of r 
columns and r rows to M-(M £j ) (i»l, 2, . . . , r, j-1, 2, . . . , 
r) while setting as an element a partial matrix M {j of t; 
columns and i. rows of which an element is 0 or 1, obtains 
c (e)=e+r-A T +l for each positive number from e«l to 
(Ap-1) , obtains a set T^t^, t a , \ . . , t ie } formed by 
optionally selecting e elements from elements of the set T 
and a set T 2 ={t jl , t j2 . . . , t jc(e) } formed by optionally 
selecting c (e) elements from elements of the set T, and 
obtains a matrix M such that a value of a small matrix of an 
optional matrix M corresponding to the set (Tj, TJ and a 
value of a rank of a small matrix of an optional matrix M 
corresponding to the set (T 2 , T a ) is equal to either a column 
number of a small matrix of the matrix M or a number of 
ranks of a small matrix of a matrix M. 

9. The computing apparatus according to claim 7, wherein 
a small matrix corresponding to the sets (T,, TJ is config- 
ured by a partial matrix designated by columns respectively 
corresponding to the t^, t^, . . . , t ie and rows respectively 
corresponding to the tj,, t j2 , . . . , t jc(e) among partial matrixes 
Mjj. that function as elements of the r columns and r rows to 
configure the matrix M=(M U ). 

10. The computing apparatus according to claim 8, 
wherein a small matrix corresponding to the sets (T 1( TJ is 
configured by a partial matrix designated by columns 
respectively corresponding to the t ils t i2 , . . . , t ic and rows 
respectively corresponding to the t^, t j2 , . . . , t jc(e) , among 
partial matrixes M ;j that function as elements of the r 
columns and r rows to configure the matrix M-^My). 

11. A computation method using SPN structure having a 
plurality of S boxes and a linear converting unit in an F 
function, comprising: 

receiving an input of a setT={t 1 , t^, t 3 t r } of bit numbers 
obtained by unequally dividing all bit numbers of input 
data to be given; and 

outputting a value indicating an existence probability 
of an appropriate linear converting unit corresponding 
to a plurality of S boxes of which input and output bit 
numbers are equivalent to the divided bit numbers. 

12. The computation method using SPN structure having 
an F function according to claim 7, comprising: 

determining whether the vale A T is positive or not; and 

determining that the appropriate linear converting unit is 
present when the value is positive. 

13. The computation method according to claim 12, 
wherein a pseudo MDS matrix corresponding to an MDS 
matrix in a case where the bits are equally divided is formed 
as the linear converting unit. 

14. A computer-readable portable recording medium used 
by a computer executing a computation process using SPN 
structure having a plurality of S boxes and a linear convert - 
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ing unit in an F function, storing a program for causing the 
computer to perform, comprising: 

receiving an input of a set T={t 1 , t^, t 3 , . . . t r } of bit 
numbers obtained by unequally dividing all bit num- 
bers of input data to be given; and 

outputting a value Aj- indicating an existence probability 
of an appropriate linear converting unit corresponding 
to a plurality of S boxes of which input and output bit 
numbers are equivalent to the divided bit numbers. 

15. A computing apparatus in which Feistel structure and 
SPN structure are combined, receiving data input and setting 
a computation result for the data input as a data output, 
wherein 

at least one first data converting units that perform data 
conversion using the Feistel structure, and at least one 
second data converting units that perform data conver- 
sion using the SPN structure are continuously com- 
bined between the data input and the data out. 

16. The computing apparatus according to claim 15, 
wherein the SPN structure comprises a nonlinear converting 
unit having an input/output bit number obtained by dividing 
a block length of one block of the data input by a word 
length, and a liner converting unit that uses interleaving 
conversion. 

17. The computing apparatus according to claim 15, 
comprising: 

a nonlinear converting unit having a probability 0 that for 
a set of input data in which a differential appears only 
on at least one fixed input bit among input bits to the 
nonlinear converting unit, a differential appears for a 
set of output data in which a differential appears on at 
least one fixed output bits located at the same location 
as at least one fixed input bits, and further a probability 
1/2 that an optional linear relational equation only 
related to at least one fixed output bits and at least one 
fixed output bits, realizes between all the input data and 
output data 1/2, is provided, as a nonlinear converting 
unit configuring the SPN structure. 

18. The computing apparatus according to claim 16, 
comprising: 

a nonlinear converting unit having a probability 0 that for 
a set of input data in which a differential appears only 
on at least one fixed input bit among input bits to the 
nonlinear converting unit, a differential appears for a 
set of output data in which a differential appears on at 
least one fixed output bits located at the same location 
as at least one fixed input bits, and further a probability 
1/2 that an optional linear relational equation only 
related to at least one fixed output bits and at least one 
fixed output bits, realizes between all the input data and 
output data 1/2, is provided, as a nonlinear converting 
unit configuring the SPN structure. 

19. A computation method in which Feistel structure and 
SPN structure are combined, receiving a data input and 
setting a computation result for the data input as a data 
output, wherein 

at least one piece of first data conversion that performs 
data conversion using the Feistel structure and at least 
one piece of second data conversion that performs data 
conversion using the SPN structure are combined to be 
executed between the data input and the data output. 



20. The computation method in which the Feistel structure 
and the SPN structure are combined according to claim 19, 
wherein 

in first data conversion using the SPN structure, nonlinear 
conversion of which a number of input bits and a 
number of output bits are equivalent to a value obtained 
by dividing a block length of one block of a data input 
by a word length, and 

liner conversion that uses interleaving conversion, are 
executed. 

21. The computing method in which the Feistel structure 
and the SPN structure are combined according to claim 19, 
wherein 

nonlinear conversion having a probability 0 that for a set 
of input data in which a differential appears only on at 
least one fixed input bit among input bits to be used for 
the nonlinear conversion, a differential appears for a set 
of output data in which a differential appears on at least 
one fixed output bits located at the same location as the 
at least one fixed input bits, and further having a 
probability 1/2 that an optional linear relational equa- 
tion only related to the at least one fixed input bits and 
the at least one fixed output bits is realized between all 
the input data and output data, is executed as nonlinear 
conversion to be executed in the SPN structure. 

22. The computing method in which the Feistel structure 
and the SPN structure are combined according to claim 20, 
wherein 

nonlinear conversion having a probability 0 that for a set 
of input data in which a differential appears only on at 
least one fixed input bit among input bits to be used for 
the nonlinear conversion, a differential appears for a set 
of output data in which a differential appears on at least 
one fixed output bits located at the same location as the 
at least one fixed input bits, and further having a 
probability 1/2 that an optional linear relational equa- 
tion only related to the at least one fixed input bits and 
the at least one fixed output bits is realized between all 
the input data and output data, is executed as nonlinear 
conversion to be executed in the SPN structure. 

23. A portable computer-readable recording medium 
being used for a computer that executes computation of 
receiving data input and that sets a computation result for the 
input data as a data output, and storing a program causing the 
computer to perform, comprising: 

combining and executing at least one piece of first data 
conversion that performs data conversion using Feistel 
structure; and at least one piece of second data con- 
version that performs data conversion using SPN struc- 
ture between the data input and the data output. 

24. A computing apparatus using SPN structure having a 
plurality of S boxes and a linear converting unit in an F 
function, comprising: 

set of bit numbers inputting means for receiving an input 
of a set T={tj, t 2 , t 3 . . . t r } of bit numbers obtained by 
unequally dividing all bit numbers of input data to be 
given to the computing apparatus; an 

value indicating existence probability of linear converting 
unit outputting means for outputting a value A T indi- 
cating an existence probability of an appropriate linear 
converting unit corresponding to a plurality of S boxes 
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of which input and output bit numbers are equivalent to 

the divided bit numbers. 
25. A computing apparatus in which Feistel structure and 
SPN structure are combined, for receiving a data input, and 
setting a computation result for the data input as a data 
output, comprising: 

at least one first data converting means for performing 
data conversion using the Feistel structure; and 



at least one second data converting means for performing 
data conversion using the SPN structure, 

wherein said first data converting means and said second 
data converting means are continuously combined 
between the data input and Lhe data output. 

***** 
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[57] ABSTRACT 

Encryption and authentication techniques which can be 
implemented on inexpensive, e.g., 8-bit, microprocessors 
and micro-controllers, using very little of the microproces- 
sor's memory, are described. While the described techniques 
require little system resources to implement they still pro- 
vide a good degree of security. In accordance with the 
present invention, in order to avoid having to specifically 
dedicate a portion of the microprocessor's limited memory 
for use as a substitution box, a portion of the code stored in 
the microprocessor's memory, dedicated to performing 
another function, is selected to serve as an S-box. This 
memory saving technique is used to implement a block 
cipher. The block cipher is used in combination with a series 
of other data manipulation operations, including XOR 
operations and rotate operations, to provide a good degree of 
system security. The operations used to implement the 
techniques of the present invention are capable of being 
implemented using 8 bit instructions making the techniques 
of the present invention well suited for implementation on 8 
bit systems such as those used in home and auto control 
applications. The message protocol and encryption scheme 
of the present invention involves the subtracting of current 
message payloads from previously received message pay- 
loads to distinguish between new messages and repeated 
messages which have already been acted upon. Messages are 
acted upon only once thereby rendering the recording and 
playing back of previous messages ineffective at defeating 
system security. 

26 Claims, 14 Drawing Sheets 
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message, and/or comparing the unencrypted message pay- 
load to a list of commands or instructions stored in memory 
to determine if a valid message has been received. 

As a result of the message subtraction feature of the 
present invention, an unencrypted message pay load value of 5 
zero results if the current message is a repeat of the last 
message. Repeated messages may be the result of the 
transmitting device or controller failing to receive an 
acknowledgment signal, e.g., due to noise problems. If the 
unencrypted message payload 952 is determined to have a i° 
value of zero in step 924, operation progresses to step 936 
wherein a message acknowledgment signal is sent to the 
Ira asmit ting device. Operation then progresses to step 940, 
without any further action being taken in response to the 
message payload, wherein the system returns to step 904 to 15 
await receipt of the next message. 

If, in step 924, e.g., through the use of an instruction or 
command look-up operation, it is determined that the unen- 
crypted message payload represents a valid instruction or 
command, system operation progresses to step 932. In step 20 
932 a message acknowledgment signal is transmitted to the 
source of the message. The instruction or command is then 
acted upon in step 934, e.g., the relay 212 of the device 200 
is controlled by the micro -controller 202 in response to the 
received message to switch from one position to another. 25 
The encrypted message payload 542, of the message which 
was just acted upon, is then stored in step 935 for use in 
decoding future messages from the same source as the 
current message. The encrypted message payload 542 is 
stored in section 219 of EPROM 222 which has a dedicated 30 
memory space for each potential message source. Once the 
encrypted message payload is stored, operation progresses 
to step 940 and the system returns to step 904 to await 
receipt of another message. 

If, it is determined in step 924, that an unencrypted 35 
message is invalid, e.g., because it does not correspond to a 
valid command or instruction, operation progresses from 
step 924 to step 926. In step 926 an invalid message counter 
implemented in, e.g., the EPROM 222, is incremented to 
reflect receipt of the current invalid message. In step 928 a 40 
check is made to determine if the counted number of invalid 
messages exceeds a preselected threshold value. If the 
preselected threshold is not exceeded, operation progresses 
to step 940 which returns system operation to step 904 to 
await the receipt of another message. 45 

However, if, in step 928, it is determined that the number 
of counted erroneous messages exceeds a threshold value, 
operation progresses to step 930. Exceeding the preselected 
threshold value of erroneous messages is indicative of an $Q 
attempt by an unauthorized individual to penetrate the home 
control system's security features. In order to warn of the 
potential threat to system security, in step 930 an alarm 
message is transmitted to the controller 102. 

From step 930 operation progresses to step 940 which 55 
returns system operation to step 904 to await the receipt of 
another message. 

In accordance with the present invention, the value of the 
counter maintained in step 928 may be reset at periodic 
intervals to take into consideration invalid messages result- 60 
ing from, e.g., signal noise or interference. 

While the present invention has been illustrated with 
reference to an exemplary embodiment, those skilled in the 
art will appreciate that various changes in form and detail 
may be made without departing from the intended scope of 65 
the present invention as defined in the appended claims. For 
example, a longer message length such as 16 or 32 byte 



14 

messages may be used. Because of the variations that can be 
applied to the illustrated and described embodiment of the 
invention, the invention should be defined solely with ref- 
erence to the appended claims. 
What is claimed is: 

1. A method of implementing a block cipher in a first 
device, comprising the steps of: 

selecting a block of application code used by the device 
in performing a first operation for use as a substitution 
box; and 

performing a cipher operation on a first set of bits, the 
cipher operation being different than the first operation 
and including the steps of: 

accessing a portion of the selected block of application 
code to obtain a set of substitution bits therefrom; 
and 

substituting the set of substitution bits for a portion of 
the first set of bits. 

2. The method of claim 1, wherein the step of performing 
a cipher operation on the first set of bits further includes the 
step of: 

rotating the first set of bits. 

3. The method of claim 2, wherein the step of performing 
a cipher operation on the first set of bits further includes the 
step of: 

repeatedly performing the accessing, substituting and 
rotating steps. 

4. The method of claim 3, wherein the step of selecting a 
block of application code includes the step of: 

compressing a plurality of application code blocks and 
selecting the application code block which compresses 
the least for use as the substitution box. 

5. The method of claim 3, wherein the step of selecting a 
block of application code includes the step of: 

selecting a block of code which is common to a plurality 
of devices which communicate with the first device. 

6. A method of implementing a system including a plu- 
rality of devices, each device including a processor and 
memory, the memory of each device including application 
code for use in performing a first function, the method 
comprising the steps of: 

identifying application code that is included in each one 

of the plurality of devices; 
selecting a block of the identified application code to 

serve the function of being a substitution box, the 

substitution box function being different from the first 

function. 

7. The method of claim 6, further comprising the step of 
programming each of the plurality of devices with code for 
implementing a block cipher operation. 

8. The method of claim 7, wherein the step of program- 
ming each device to perform a block cipher operation 
includes the step of: 

programming each device to perform a plurality of sub- 
stitution and shift operations as part of the block cipher 
operation. 

9. The method of claim 8, further comprising the step of 
programming each of the plurality of devices to: 

receive a first encrypted message; 
store at least a portion of the first received encrypted 
message; and 

upon receiving a subsequent encrypted message subtract 
at least the stored portion of the first encrypted message 
from at least a portion of the subsequently received 
encrypted message to thereby determine if the subse- 
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quent encrypted message is a repeat of the first 
encrypted message. 

10. The method of claim 8, further comprising the step of: 
assigning each of the plurality of devices a unique iden- 
tifier; 

storing the unique identifier assigned to each device in the 
device to which the identifier is assigned; and 

storing within each particular one of the plurality of 
devices, the unique identifier assigned to the devices 
with which the particular device in which the unique 
identifiers are being stored is capable of communicat- 
ing. 

11. The method of claim 10, further comprising the step 

of; 

programming each of the plurality of devices with an 
identical code to be used when performing a cipher 
operation. 

12. The method of claim 10, further comprising the step 
of programming each of the plurality of devices to: 

receive a first encrypted message; 
store at least a portion of the first received encrypted 
message; and 

upon receiving a subsequent encrypted message subtract 
at least the stored portion of the first encrypted message 
from at least a portion of the subsequently received 
encrypted message to thereby determine if the subse- 
quent encrypted message is a repeat of the first 
encrypted message. 

13. The method of claim 12, wherein the each of the 
plurality of devices is programmed to implement only 8 bit 
operations. 

14. A system, comprising: 

a first device, the first device including: 
a first processor; 

first non -volatile memory coupled to the microproces- 
sor; 

first application code stored in the non-volatile 
memory; and 

first means for implementing a block cipher using a 
segment of the first application code stored in the 
first non -volatile memory as a first substitution box. 

15. The system of claim 14, further comprising: 
a second device, the second device including: 

a second processor; 

second non-volatile memory coupled to the micropro- 
cessor; 

second application code stored in the second non- 
volatile memory; and 

second means for implementing a block cipher using a 
segment of the second application code stored in the 
second non -volatile memory as a second substitution 
box, and wherein the segments of the first and second 
application code used for the first and second sub- 
stitution boxes have an identical content. 

16. The system of claim 15, wherein each of the first and 
second devices further include: 

means for storing received messages; and 

means for comparing a stored message to a received 

message to determine if the received message is a 

repeat of a stored message. 

17. The system of claim 15, wherein the first device 
further includes: 

a first authentication module for generating a message 
authenticator as a function of a message to be 
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transmitted, the implemented block cipher, and a 
stored code common to both the first and second 
devices. 

18. The system of claim 17, wherein the second device 
further includes: 

a second authentication module for generating a mes- 
sage authenticator as a function of a received 
message, the implemented block cipher and the 
stored code common to both the first and second 
devices. 

19. The system of claim 18, wherein the first authentica- 
tion module includes means for logically XORing prese- 
lected portions of the message to be transmitted together to 
generate a portion of a first cipher key. 

20. The system of claim 19, wherein the second authen- 
tication module includes means for logically XORing pre- 
selected portions of the received message together to gen- 
erate a portion of a second cipher key. 

21. The system of claim 19, wherein the means for 
implementing a block cipher included in each of the first and 
second devices includes means for rotating data and per- 
forming a plurality of substitution operations as a function of 
the content of the first and second substitution boxes, 
respectively. 

22. The system of claim 19, wherein each of the first and 
second devices further include: 

means for storing received messages; and 

means for comparing a stored message to a received 

message to determine if the received message is a 

repeat of a stored message. 

23. The method of claim 15, wherein the means for 
implementing a block cipher included in each of the first and 
second devices includes means for rotating data and per- 
forming a plurality of substitution operations as a function of 
the content of the first and second substitution boxes, 
respectively. 

24. The system of claim 15, 

wherein the first device is a controller which further 
includes an antenna for transmitting messages to the 
second device; and 

wherein the second device includes an antenna for receiv- 
ing messages from the first device. 

25. The system of claim 15, 

wherein the first device is a home appliance controller; 
and 

wherein the second device is a remotely controlled 
switched outlet. 

26. A computer readable medium comprising: 
computer executable instructions for performing the steps 

of: 

selecting a block of application code used by the device 
in performing a first operation for use as a substitution 
box; and 

performing a cipher operation, the cipher operation being 
different from the first operation, on a first set of bits, 
the cipher operation including the steps of: 
accessing a portion of the selected block of application 

code to obtain a set of substitution bits therefrom; 

and 

substituting the set of substitution bits for a portion of 
the first set of bits. 
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[57] ABSTRACT 

A method of generating a substitution box (S-box) involves 
generating an S-box with desired characteristics, forming a 
new S-box with another column such that the new S-box has 
the desired characteristics as well, and continuing to add 
columns in these ways until the S-box has the proper size. 
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the target S-box, the process of generating a new column is whether the number of columns in the current S-box is equal 

repeated. (Step 170). to the target size (Step 570). If so, the process ends (Step 

Once the temporary S-box reaches the desired size, the 575). If not, the iterative process begins again by generating 

process may terminate but other measures may be taken to a new column f z (Step 515). 

decrease the exploitability of the S-box by cryptanalytic 5 If column f z fails Test 2, the candidate column is stored 

attack further. A determination is made whether the columns ratner thaD discarded (Step 532). A determination is made 

exhibit ideal distribution (Step 175). As mentioned earlier, whether f z is the first stored column (Step 535). If f z is the 

columns have ideal weight distribution if they have Ham- first slored ^v™* variable z is incremented by 1 (Step 540) 

ming weight approximately equal to half their length. Col- *™j the P rocess b X generating a new column (Step 

umns generated using bent functions, however, will have 10 ./ , . (L , . ^, L r-,^^ 

J;^ «™;„k* ^t,„ o"/2-a ->«-i , on/2-a u J z is the second column to pass Test 1 but fail Test 2, 

Hamming weight either equal to2 -2 or 2 + 2 the firs^t and second columns are XORed together (Step 545) 

If the columns do not exhibit ideal distnbunon comple- ^ f f fa ^ fof ^ ^ \ 

menting all of the bite of a randomly selected column may (s 550) Veri£yin that f ef ^ x f nvolves 

improve the oyeraU distribution (Step 180). only half the effort t0 verif lhat a new 

Once the columns of the S-box are evenly distributed, the 15 candidate column passes both Tests 1 and 2 and, therefore, 

process tests the distribution of the rows of the S-box. If the typically decrease the time required to find columns for 

Hamming weight of the rows is not between a and b, affine large S-boxes. If f z ®S x -i passes Test 1, f x replaces the kth 

functions are added to selected columns. (Step 187) The column of the current S-box (Step 555). The variable z is 

nonlinearity and correlation between columns of an S-box is reset to 1 (Step 565). The column f x -f 19 is appended to the 

unaffected by the addition of linear functions to the columns; 20 S-box and the number of columns, ncols, is incremented by 

however, the distribution of the rows may be improved by 1 (Step 570). If fJBf 2 _! fails Test 1, the variable z is reset 

this technique. to 1 (Step 552) and the process generates a new candidate 

If the rows of the S-box are within acceptable parameters, column, 

the XORs of pairs of rows are also tested in this manner This method could also be extended in any one of several 

(Step 190). If the Hamming weight of the XORs of pairs of 25 different ways. For example, the process could save three or 

rows are not between a and b, affine functions are again more columns that pass Test 1 but fail Test 2. Also, the 

added to selected columns (Step 187). process may be modified so that any two or more of the Test 

In the process described above, columns are simply 2 faUur 5 s ma ? be X0R ' d l0 S ether t0 produce a new candi- 

discarded if they do not have the desired minimum nonlin- 115° . . , , 

earitywithrespecttoanycombinationofcolumnsalreadyin 30 . FlG - 6 * lust / ates a sjBtem consistent with the present 

.u o u a i * * j * ■ A J . invention. As shown in FIG. 6, the present invention uses a 

, h°h" khki ^ r£ C C , 0nStrUCtl ° n processor 610 connected to one or more input/output (I/O) 

method described below and depicted m FIG^S. $ eviccs (615 and 62Q) via dala ^ m ^ 

In FIG. 5 the construction process begins by generating I/0 devices 615 and 620 can be any devices that are capable 

an S-box having m inputs and k inputs, wherein k is of passing i n f orma tion to or receiving data from processor 

somewhat smaller than n, the number of outputs of the 35 610. By way of example only, I/O devices 615 and 620 may 

desired S-box (Step 505). The S-box may be generated in be monitors, keyboards, modems, printers, display devices 

any manner, however, as in the first embodiment, the initial or workstations. Each workstation can be a personal com- 

S-box should be chosen to exhibit the desired operational putcr (PC) or other hardware that includes a visual display 

characteristics. Temporary variables, ncols and z, are ini- device and data entry device such as a keyboard or mouse, 

tialized (Step 510). Variable ncols will denote the number of 40 It should further be understood that FIG. 6 describes an 

columns in the current S-box. The variable z will indicate the exemplary network where each of the hardware components 

number of candidate columns temporarily set aside. may be implemented by conventional, commercially avail - 

The iterative process begins by generating a candidate able computer systems, 

column, f z (Step 515). Column f z is tested first using Test 1 It will be apparent to those skilled in the art that various 

(Step 525). In the example shown in FIG. 5, Test 1 is 45 modifications and variations can be made in the methods and 

performed by computing the minimum nonlinearity of all systems of the present invention without departing from the 

combinations of k-1 columns of the S-box. Any subset of spirit or scope of the invention. For example, in addition to 

k-1 columns may be used in Test 1 , but for this example and the tests for nonlinearity and correlation between columns 

ease of notation, it is assumed that the kth column is the disclosed other tests may be performed that are functionally 

column not used in the calculation. Column f z "passes" Test 50 equivalent. The true scope of the claims is defined by the 

1 if the minimum nonlinearity of all of the combinations following claims, 

exceeds a minimum threshold. For example, if, as in the What is claimed is: 

example described above, the target S-box will have 8 inputs 1- A method of ciphering digital data through use of a 

and 32 outputs, the minimum threshold for nonlinearity may substitution box (S-box) capable of receiving m inputs and 

be set to 74. 55 producing n outputs, where m and n are positive integers 

If column J z fails Test 1, the column is discarded and the greater than 1, comprising the steps of: 

process generates a new column (Step 515). If column f z (a) generating the S-box by: 

passes Test 1, however, the column is tested using Test 2 (i) selecting desired operational characteristics for the 

(Step 530). In Test 2, the candidate column is tested for S-box; 

nonlinearity with respect to all combinations of columns 60 (ii) generating a first S-box having m inputs and having 

involving the column not used in Test 1 which, in this k outputs, wherein k is less than n and greater than 

example, is column k. Column f z "passes" Test 2 if the 1; 

minimum nonlinearity of all of the combinations exceeds a (iii) generating a column corresponding to a Boolean 

minimum threshold. function of m inputs; 

If column passes Test 2, the column is appended to the 65 (iv) determining the operational characteristics of a 

S-box, z is set to 1 (Step 562), and variable ncols is temporary S-box formed by the first S-box and the 

incremented by 1 (Step 560). The process determines column; 
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(v) modifying the first S-box by appending the column, 
if the temporary S-box possesses the desired opera- 
tional characteristics; 

(vi) repeating steps (iii) through (v) until the first S-box 
has n outputs; and subsequently 

(b) ciphering digital data using the first S-box having the 
n outputs. 

2. A method according to claim 1, further including the 
steps of: 

selecting a desired level nonlinearity, NL, for the S-box; 
determining the nonlinearity of a temporary S-box formed 

by the first S-box and the column; and 
modifying the first S-box by appending the column, if the 

nonlinearity of the temporary S-box is equal to or 

greater than NL. 

3. A method according to claim 1, further including the 
steps of: 

selecting a desired level of correlation between columns, 
C, for the S-box; 

determining the correlation between columns of the tem- 
porary S-box formed by the first S-box and the column; 
and 

modifying the first S-box by appending the column, if the 
correlation between columns of the temporary S-box is 
equal to or less than C. 

4. A method according to claim 3, further including the 
steps of: 

selecting a desired level nonlinearity, NL, for the S-box; 
determining the nonlinearity of a temporary S-box formed 

by the first S-box and the column; and 
modifying the first S-box by appending the column, if the 

nonlinearity of the temporary S-box is equal to or 

greater than NL. 

5. A method according to claim 2, wherein the step of 
determining the nonlinearity further comprises the steps of: 

determining the nonlinearity for each combination of 

columns of the temporary S-box; and 
setting the nonlinearity of the temporary S-box equal to 

the minimum nonlinearity of the combinations. 

6. A method according to claim 3, wherein the step of 40 
determining the level of correlation between columns further 
comprises the steps of: 

determining the correlation for each combination of col- 
umns of the temporary S-box; and, 

setting the level of correlation between columns of the 45 
temporary S-box equal to the maximum correlation of 
the set of combinations. 

7. A method according to claim 1, further comprising the 
step of: 

determining the average Hamming weight of the columns 50 

of the mxn S-box; and 
complementing all the bits of randomly selected columns 

until the columns of the S-box have average Hamming 

weight approximately 2"" 1 . 

8. A method according to claim 1, wherein the step of 55 
generating a first S-box includes the step of 

generating the first S-box using bent functions. 

9. A method according to claim 1, wherein the step of 
generating a column includes the step of 

generating the column using bent functions. 

10. A method according to claim 9, wherein the step of 
generating a first S-box includes the step of 

generating the first S-box using bent functions. 
U. A method according to claim 10, further comprising 
the step of: 

complementing all the bits of randomly selected columns 
of the S-box until half the columns of the S-box have 
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Hamming weight equal to 2"~ 1 -2" /2 " 1 and half the 
columns have Hamming weight equal to 2 n " 1 +2 M/2 ~\ 

12. A method according to claim 1, further comprising the 
steps of: 

selecting a minimum Hamming weight, a, for the rows of 
the S-box; 

selecting a maximum Hamming weight, b, for the rows of 

the S-box; and 
adding affine functions to the columns of the S-box until 

the weight of each row of the S-box is between a and 

b inclusive. 

13. A method according to claim 12, further comprising 
the step of: 

adding affine functions to the columns of the S-box until 
the weight of each XOR of pairs of rows is between a 
and b inclusive. 

14. A method according to claim 1, further comprising the 
steps of: 

(a) selecting a minimum Hamming weight, a, for the rows 
of the S-box; 

(b) selecting a maximum Hamming weight, b, for the 
rows of the S-box; 

(c) adding affine functions to the columns of the S-box 
until the weight of each row of the S-box is between a 
and b inclusive; 

(d) adding affine functions to the columns of the S-box 
until the weight of each XOR of pairs of rows is 
between a and b inclusive; and 

(e) repeating steps (c) through (d) until the weight of each 
row of the S-box and the weight of each XOR of pairs 
of rows of the S-box are between a and b inclusive. 

15. A method according to claim 1, wherein the step of 
generating a first S-box further includes the step of 

generating a column using the bent function, d(x), such 
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represents the Walsh transform of the function where a, b, c 
eB 6 and A, B, C are their respective Walsh Transforms. 

16. A method according to claim 15, wherein the step of 
generating a column further includes the step of generating 
a column using the bent function, J"(x), where f is the 
mapping f:{0, l} m ->{0, 1} and f(x) may be further defined 
as: 



fix) 



2«/2 



17. A method according to claim 2, wherein the step of 
determining nonlinearity of an S-box includes the step of 
determining the nonlinearity as: 



fee 



nl(f) 
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where C is the set of all linear combinations of the columns 
of S and 
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18. A method of ciphering digital data through use of an 
mxn substitution box (S-box), where m and n are positive 
integers greater than 1, comprising the steps of: 

(a) generating the S-box by: 

(i) selecting a desired level nonlinearity, NL, for the 
mxn S-box; 1 

(ii) generating a fist S-box having m inputs and k 
outputs, wherein k is less than n and greater than 1; 

(iii) generating a first column, C ls of length m; 

(iv) performing a first operational test using column Cj; 

(v) performing a second operational test using column 15 
C,; 

(vi) generating a second column, C 2 , of length m; 

(vii) performing the first operational test using column 
C 2 , 

(viii) performing the second operational test using 20 
column C 2 ; 

(ix) determining X lf the XOR of C a and C 2 if Q and 
C 2 both pass the first operational test and fail the 
second operational test; 

(x) performing the first operational test using Xjj 2 5 

(xi) replacing the kth column of the first S-box with C 2 
and appending C 2 to the first S-box as the k+l ,r 
column, i X a passes the first operational test; 

(xii) incrementing k by 1; 

(xiii) repeating steps (iii) through (xii) until k equals n; „ rt 
and 30 

(b) ciphering digital data using an S-box having m inputs 
and k outputs where k=n. 

19. A method according to claim 18, wherein the step of 
performing a first operational test further includes the step 
of: 35 

determining the minimum nonlinearity of the set contain- 
ing all combinations of k-1 columns of the first S-box 
and the column. 

20. A method according to claim 18, wherein the step of 
performing a second operational test further includes the 40 
step of: 

determining the minimum nonlinearity of the set contain- 
ing all combinations of the columns of the first S-box 
that include the column omitted in the first operational 
test and the column. 

21. A system for ciphering digital data using a substitution 45 
box (S-box) capable of receiving m inputs and producing n 
outputs, where m and n are positive integers greater than 1, 
comprising: 

means for generating the S-box including: 

means for selecting desired operational characteristics; 50 
means for generating a first S-box having m inputs and 

having k outputs, wherein k is less than n and greater 

than 1; 

means for generating a column corresponding to a 
Boolean function of m inputs; 55 

means for determining the operational characteristics 
of a temporary S-box formed by the first S-box and 
the column; 

means for modifying the first S-box by appending the 
column, if the temporary S-box possesses the desired 60 
operational characteristics; and 
means for ciphering digital data using a modified first 

S-box. 

22. A system for ciphering digital data using a substitution 
box (S-box) capable of receiving m inputs and producing n 65 
outputs, where m and n are positive integers greater than 1, 
comprising: 
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means for generating the S-box including: 

means for selecting a desired level nonlinearity, NL, for 
the X-box; 

means for generating a first S-box having nonlinearity 

equal to or greater than NL; 
means for generating a column corresponding to a 

Boolean function of m inputs; 
means for determining the nonlinearity of a temporary 

S-box formed by the first S-box and the column; 
means for modifying the first S-box by appending the 

column, if the nonlinearity of the temporary S-box is 

equal to or greater than NL; and 

means for ciphering digital data using a modified first 
S-box. 

23. A system according to claim 22, further comprising: 
means for selecting a desired level of correlation between 

columns, C, for the S-box; 
means for determining the correlation between columns 

of the temporary S-box formed by the first S-box and 

the column; and 
means for modifying the first S-box by appending the 

column, if the correlation between columns of the 

temporary S-box is equal to or less than C. 

24. A system according to claim 22, further comprising: 
means for determining the average Hamming weight of 

the columns of the mxn S-box; and 
means for complementing all the bits of randomly 
selected columns until the columns of the S-box have 
average Hamming weight approximately 2 n_1 . 

25. A system for ciphering digital data using an mxn 
substitution box (S-box), where m and n are positive integers 
greater than 1, comprising: 

means for generating the S-box including: 

means for selecting a desired level nonlinearity, NL, for 

the mxn S-box; 
means for generating a first S-box having m inputs and 

k outputs, wherein k is less than n and greater than 

1; 

means for generating columns, C 2 and C 2 ; 
means for performing a first operational test; 
means for performing a second operational test; 

means for determining the XOR X 1 of the two columns C 2 
and C 2 ; 

means for replacing the kth column of the first S-box 
with C 1 and appending C 2 to the first S-box as the 
k+1 column, if Xj passes the first operational test and 
if both C 1 and C 2 and pass the first operational test 
and fail the second operational test; and 

means for ciphering digital data using an S-box resultant 
from the means for replacing. 

26. A system according to claim 25, wherein the step of 
performing a first operational test further includes the step 
of: 

determining the minimum nonlinearity of the set contain- 
ing all combinations of k-1 columns of the first S-box 
and the column. 

27. A system according to claim 24, wherein the step of 
performing a second operational test further includes the 
step of: 

determining the minimum nonlinearity of the set contain- 
ing all combinations of the columns of the first S-box 
that include the column omitted in the first operational 
test and the column. 

***** 
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[57] ABSTRACT 

A system for generating variable substitution boxes from 
arbitrary keys for use in a block cipher system utilizes an 
initial set of linearly independent numbers to generate 
substitution tables. The initial set of linearly independent 
numbers is modulated with the bits of an arbitrary key 
through operations that result in final sets of linearly inde- 
pendent numbers to form the substitution tables. The system 
also includes an implementation which allows for rapid key 
changes for the crypto system by only generating portions of 
the substitution tables as needed for specific blocks of input 
data to be encrypted or decrypted, 

23 Claims, 7 Drawing Sheets 
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receive, and optionally send, high-speed digital data through 
television cable (CATV) networks which are capable of 
delivering digital data. As depicted in FIG. 4. the use of the 
present invention in a cable modem 400 connected to cable 
system 402 involves a duplex filter 404. a tuner 406. a 
Quadrature Phase Shift Keying (QPSK) modulator 408 a 
Quadrature Amplitude Modulation (QAM) demodulator 
410. a block cipher security system 412 complying with the 
present invention, a processor 414, and a network interface 
such as an Ethernet interface 416 coupled to a computer 417. 
and optionally a conventional telephone line modem 418 
connected to the telephone lines 420. 

The cable modem system 400 receives data frames from 
the downstream RF channel 403 from the cable system 402. 
The received frames, after qualification and processing, are 
delivered to the computer 417 via the network interface 416. 
In the depicted embodiment, the network interface advan- 
tageously comprises a lOBase-T ethernet interface. Data 
received from the computer 417 ("client") (through the 
interface 416) is formatted and returned upstream via the 
upstream modulator 408. The modem can return data 
received from the client 417 via the optional modem 418. 
This option provides the user tee benefit of hi-speed down- 
stream data delivery when the user is using a "One Way** 
cable plant (i.e.. there is no upstream ability in the cable 
system 402). 

For data from the Cable System 402, the RF signal arrives 
at the duplex filter 404 which provides high-pass filtering. 
The signal is then delivered to the tuner 406. The tuner 
selects the RF channel of interest and delivers the selected 
intermediate frequency (IF) signal to the QAM demodulator 
410. The QAM demodulator 410 demodulates the IF signal, 
providing synchronization, error detection/correction and 
outputs parallel data to the receiver portion (the receive 
buffer Rx) of the Security Device 412. The security device 
412 decrypts the received data, if necessary, and based on 
conditional access functionality contained in the security 
device 412. and conditional access control information 
received in the downstream data, delivers the decrypted data 
to the processor 414. The processor 414 is responsible for 
reassembling the received packets of data and, after addi- 
tional qualification, signals the ethernet controller to send 
the packers) to the computer 417. 

For data to be sent upstream, the processor 414 formats 
the data received from the computer 417 for transmission via 
the QPSK modulator 408 or via the optional modem 418. 
The processor then passes the data packet(s) to the security 
device 412 for encryption. The security device 412 then 
passes the packets to the QPSK modulator 408. to the duplex 
filter 404. and then to the cable system 402. If the packet is 
to be sent via the standard modem 418. the data packet is 
passed by the processor 414 to the modem 418 without 
encrypting. 

The encryption/decryption functionality of the security 
device 412 may be implemented in software or in hardware. 
In the present embodiment, software can be used for data 
throughput requirements of less than 10 Mbits/sec. Hard- 
ware provides faster throughput. In order to handle packets 
from different sources, the security device 412 may be 
required to perform fast key switching. In applications 
where only a few simultaneous sources are possible, this 
may be accomplished by caching the tables required for each 
key in memory (such as RAM. In applications where numer- 
ous simultaneous sources are possible, or where the use of 
memory (such as RAM) is constrained, the embodiment of 
FIG. 3 above may be utilized. 

While preferred embodiments of this invention have been 
disclosed herein, those skilled in the art will appreciate that 
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changes and modifications may be made therein without 
departing from the spirit and scope of the invention. 
We claim: 

1. A block cipher system, in which sub-blocks of data are 
5 replaced by other sub-blocks as defined by one or more 

mappings, wherein each snapping can be expressed as a 
substitution table, said system comprising: 
a first complete set of linearly independent numbers 
selected from a plurality of complete sets of linearly 
io independent numbers; 
a key; and 

means for generating at least portions of a resulting n-bit 
encryption table (E) and a resulting n-bit decryption 
table (D) from a fixed n-bit source substitution table (R) 
stored in memory and said first complete set of linearly 
independent n-bit numbers. 

2. The block cipher system of claim 1. wherein said first 
complete set of linearly independent n-bit numbers is used 
to form a linear transformation for the source substitution 
table (R). 

3. The block cipher system of claim 2. wherein the linear 
transformation comprises a second complete set of linearly 
independent numbers generated by modulating the first 
complete set of linearly independent numbers with said key. 

4. The block cipher system of claim 3, wherein said linear 
transformation (T) is used as follows: 

For K from 0 through 2 rt -l: 



D[T(R|K])J=T(K). 

5. The block cipher system of claim 4. wherein the 
35 transformation (T) comprises a right multiplication by a 

matrix formed from the second complete act of linearly 
independent numbers. 

6. The block cipher system of claim 3. wherein said linear 
transformation is used as follows: 

40 For K from 0 through 2"-l: 

E[T(K)J=T(RiKl«F) t 

and 



where F is an n-bit value detennined from the key. 

7. The block cipher system of claim 1 . wherein said means 
for generating comprises a means for performing a linear 

so transformation (T) on said source substitution table (R), said 
transformation (T) comprising a second complete set of 
linearly independent numbers generated from said key and 
said first complete set of linearly independent numbers. 

8. The block cipher system of claim 1. wherein said means 
55 for generating comprises means for concurrently generating 

a second complete set of linearly independent n-bit numbers 
to form a first linear transformation (T). and a third complete 
set of linearly independent n-bit numbers to form a second 
linear transformation (T~ l ) which is the inverse of the first 
60 linear transformation (T). 

9. The block cipher system of claim 1, wherein said means 
for generating comprises means for generating the specific 
n-bit output which correspond to outputs for the encryption 
substitution table or the decryption substitution table on an 

65 as needed basis, for each n-bit input value (U) without 
generating the entire encryption substitution table (E) or 
entire substitution table (D). 



E|TrK)|=T(RfK]X 

30 

and 



45 D fT(R|K J©F) J=T(K), 
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25 



60 
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10. The block cipher system of claim S>, wherein said 
means for generating further comprises encryption and 
decryption source substitution tables. R f and stored in 
memory, and further comprises means for performing an 
n-bit transformation. T. and its inverse, T~\ as follows: 

and 

11. A block cipher system comprising: 

a first complete set of linearly independent numbers, each 

of a selected bit length; 
a key; 

a source substitution table stored in memory; 

a modulation module responsive to selected bits from said 
key to control operations on said first complete set of 
linearly independent numbers to obtain a second com- 
plete set of linearly independent numbers; 

a transformation module which transforms the source 
substitution table stored in memory using said second 
complete set of linearly independent numbers to obtain 
a resulting substitution table; and 

a decryption substitution module which has an input and 
an output, said input comprising data blocks for which 
substitution is desired and said output comprising the 
substitution blocks for said input data blocks, said 
substitution blocks obtained from said resulting substi- 
tution table. 

12. The block cipher system of claim 11. further com- 
prising an encryption module with an input and an output, 
said input comprising data blocks for which substitution is 
desired and said output comprising substitution blocks for 
said input data blocks, said substitution blocks obtained 
from said resulting substitution table. 

13. The block cipher system of claim 11. further com- 
prising a plurality of complete sets of linearly independent 
numbers stored in memory, wherein said modulation module 
is responsive to selected key bits to select said first complete 
set of linearly independent numbers from said plurality of 
complete sets. 

14. The block cipher system of claim 13. wherein said 
modulation module is responsive to other key bits to select 
certain numbers from said first complete set of linearly 
independent numbers for XOR operations with other num- 
bers from said first complete set of linearly independent 
numbers to form said second set of linearly independent 
numbers. 

15. The block cipher system of claim 11, wherein said 
modulation module is responsive to selected key bits to 
select certain numbers of said first set of linearly indepen- 
dent numbers for an XOR operation with other numbers of 
said first set of linearly independent numbers to form said 
second set of linearly independent numbers. 

16. The block cipher system of claim 11. wherein said 
transformation module forms a matrix of the second set of 
linearly independent numbers and uses this matrix as a 
transformation of the source substitution table to form said 
resulting substitution table. 



20 

17. The block cipher system of claim 16. wherein said 
transformation module right multiplies data from said source 
substitution table by said matrix to form said resulting 
substitution table. 

5 18. The block cipher system of claim 17. wherein said 
source substitution table comprises a plurality of data blocks 
of a predetermined bit length, and wherein said transforma- 
tion comprises two inputs, said first input being an index 
input and said second input being said data blocks from said 

10 source substitution table, wherein said transformation mod- 
ule right multiplies said index by said matrix and right 
multiplies said data blocks by said matrix in order to obtain 
said resulting substitution table. 

19. The block cipher system of claim 18. wherein said 
15 transformation module comprises outputs, said outputs com- 
prising a transformed index and a transformed data block, 
said index providing an address for the transformed data 
block. 

20. A block cipher system comprising: 

20 a first complete set of linearly independent numbers, each 
of a selected bit length; 
a key; 

a source substitution table stored in memory; 

25 a transformation module which transforms the source 
substitution table stored in memory using a transfor- 
mation from said first complete set of linearly indepen- 
dent numbers and said key to obtain a temporary 
portions of a resulting substitution table on an as 

30 needed basis, without generating entire substitution 
tables for encryption and decryption; and 
a crypto module which has an input and an output, sad 
input comprising data blocks to be encrypted or 
decrypted and said output comprising substitution 

33 blocks for said input data blocks, said substitution 
blocks obtained from said temporary portions of the 
resulting substitution table. 

21. The block cipher system of claim 20. wherein said 
transformation module comprises an n-bit transformation 

40 logic and an n-bit inverse transformation logic. 

22. The block cipher system of claim 21. wherein said 
n-bit linear transformation logic and said n-bit inverse linear 
transformation logic have variable portions which are con- 
figured simultaneously. 

45 23. The block cipher system of claim 21, wherein said 
transformation module performs the following transforma- 
tion: 

E[U*=T<R fi {T- | <U)]). 

50 and 

where R E is the source encryption substitution table, R^ 
is the source decryption substitution table. T" 1 is the 
55 inverse n-bit linear transformation. T is the n-bit linear 
transformation. EfU] is the temporary portion of the 
resulting encryption substitution table and D[U] is the 
temporary portion of the resulting decryption table and 
U is the input data block. 

* * * * * 
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operand is located by effectively rotating the current sub-key 
one byte to the right, then using the byte from this rotated 
sub-key that corresponds to the byte counter i. The second 
operand is the byte of the current sub-key pointed to by the 
byte counter (without having rotated the sub-key). For 5 
example, if the sub-keys and blocks are 8 bytes long, and the 
byte counter is 0, the first operand will be the byte numbered 
"i-1 mod ||C||", which in this case evaluates to ((0-1) mod 
8), or 7. This is the eighth byte of the current sub-key. The 
second operand will be the first byte, the byte numbered 0, 
of the same sub-key. 

At Step 630, the generation counter v is incremented. 
Control then transfers back to Step 580. 

Control reaches Step 640 when all the iterations of 15 
mixing, permutation, and key-dependent substitution have 
completed for this sub-key. At this step, the current sub-key 
is exclusive OR'd with the temporary variable X in which a 
value was saved at Step 560. The result of the exclusive OR 
is substituted as the new value of the current sub-key. 20 

At Step 650, the byte counter i is again initialized to 0. 
Step 660 compares the byte counter value to the length of the 
blocks. If the test at Step 660 has a positive result, control 
transfers to Step 670; otherwise, control transfers to Step „ 
690. 

Step 670 takes a byte from the newly-generated sub-key, 
and substitutes it back into the original input key, which 
results in further randomization of the sub-keys being gen- 
erated. The following mathematical equation defines the 30 
process by which this is done: 

The byte counter i points to the current byte of the current 35 
sub-key, and the iteration counter r identifies the current 
sub-key. This byte from the sub-key will be substituted into 
the input key. The position at which this byte will be 
substituted is determined by the expression "rL+i mod ||K||". 
Using the same example used above for inserting the byte at 40 
Step 540, where the block size C is 8 bytes, the input key K 
is 24 bytes long, the total number of rounds of processing is 
11, the iteration counter r is 0, and the byte counter i is 0, the 
result is that the first byte of the first sub-key is substituted 
into the first byte of the input key. If the iteration counter r 45 
is 3, the byte counter i is 2, and the other variables are 
unchanged, the expression becomes ((3 * 2)+(2 mod 24))= 
(6+2)=8, so that the third byte (because i=2) of the fourth 
sub-key (because r=3 is substituted for the ninth byte (the 
byte numbered 8) of the input key. 

At Step 680, the byte counter i is incremented. Control 
then transfers back to Step 660. 

Control reaches Step 690 when a complete round of 
sub-key generation (consisting of generating the sub-key 55 
bytes, encrypting the bytes, and substituting the encrypted 
bytes back into the input key) has completed. At Step 690, 
the iteration counter r is incremented. Control then transfers 
back to Step 510. 

While the preferred embodiments of the present invention 60 
have been described, additional variations and modifications 
in those embodiments may occur to those skilled in the art 
once they learn of the basic inventive concepts. Therefore, 
it is intended that the appended claims shall be construed to 
include both the preferred embodiments and all such varia- 65 
tions and modifications as fall within the spirit and scope of 
the invention. 
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TABLE 1 



50 



SYMBOL DEFINITION 



C The plaintext (input data) or cipbertext (encrypted) block. 

[JC|| The length of C in bytes, where flC|| is an even integer and 

BCO^S. 

Q Byte i of C, where 0 g i g |jq| - 1. 

R An integer number denoting the total number of rounds of the 

encryption algorithm, where R ^ fQlCj] + 1 6)/5l The 
notation fx] denotes the smallest integer greater than or equal 
to X. For example, if x = 3.2, then fx] « 4. 

K The symmetric (secret) encryption/decryption input key. 

[|K|[ The length of K in bytes. ||K|j is an integer in the following 

interval: [|q| g |]K|| ^ * R- 

Kj- Byte j of key K, where 0 ^ j ^ ||K]| - 1. 

K <r> The rth sub-key derived from K, where 0 £ r £ R - 1. Each 

sub-key is of length |jC|| bytes. 

Kj <r> Byte i of sub-key K* 3 *, where O^iS (|c|| _ i. 

L An integer defined as L = f(||K|| - \W()/(R - 1)1. When the 

input key is bigger than the block size, L equally divides the 
additional input key bytes among the sub-keys. 

Sj <n> The jth entry of the nth s-box, where 0 £ n £ 1, and 

0 i j § 255. Each s-box contains 256 non-repeating 8-bit 
values which are indexed from 0 to 255. The jth entry of the 
inverse of the nth s-box is denoted by Sj"* 0 *. 

A *» B denotes swapping of A with B. 

A © B denotes exclusive ORing A and B. 



What is claimed is: 

1. In a computing environment, computer-readable code 
for providing a byte -oriented symmetric key block cipher 
which supports a variable length symmetric input key, a 
variable length block, and a variable number of rounds, said 
computer-readable code embodied on a computer-readable 
medium and comprising: 

computer-readable program code means for determining a 
number of rounds of cipher processing to use as said 
variable number of rounds, a key length of said variable 
length symmetric input key, and a block length of said 
variable length block; 
computer-readable program code means for generating a 
plurality of sub-keys using said symmetric input key as 
an input value, wherein each of said generated sub-keys 
is equal in length to said block length and where a 
distinct one of said sub -keys is generated for each of 
said number of rounds; 
computer-readable program code means for obtaining an 
input data block to be encrypted, wherein said input 
data block comprises a plurality of input data bytes, 
said plurality being equal in number to said block 
length; and 

computer-readable program code means for iteratively 
performing a set of round functions a number of times 
equal to said number of rounds in order to encrypt said 
input data block, wherein said set of round functions 
comprises a mixing function, a permuting function, and 
a key-dependent substitution function, and wherein 
said computer-readable program code means for itera- 
tively performing further comprises: 
computer-readable program code means for performing 
said mixing function by mixing each of said input 
data bytes using a first XOR operation and a second 
XOR operation, wherein said first and second XOR 
operations are different, followed by a first 
substitution-box (S-box) lookup operation, thereby 
creating a plurality of mixed bytes; 
computer-readable program code means for performing 
said permuting function by swapping each of said 
mixed bytes, thereby creating a plurality of permuted 
bytes; 
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computer-readable program code means for performing 
said key-dependent substitution function by substi- 
tuting a byte value for each of said permuted bytes, 
wherein said byte value is determined by performing 
a third XOR operation followed by a second S-box 5 
lookup operation, thereby creating a plurality of 
substituted bytes; and 

computer-readable program code means for treating 
said plurality of substituted bytes as said plurality of 
input data bytes for a subsequent iteration of said 10 
computer-readable program code means for itera- 
tively performing, provided said number of times has 
not been reached. 

2. The computer-readable code according to claim 1, 
wherein said computer- readable program code means for 15 
performing said mixing function further comprises: 

computer-readable program code means for dividing said 
plurality of input data bytes into a left input half and a 
right input half; 

computer-readable program code means for performing a 20 
first mixing operation on said left input half and a 
second mixing operation on said right input half, 
wherein said second mixing operation uses a different 
selection of operands for said first and second XOR 
operations than does said first mixing operation; 25 

computer-readable program code means for using each 
byte of a result of said second XOR operation of said 
first mixing operation as a lookup index for said first 
S-box lookup operation to retrieve bytes of a new left 3Q 
half; and 

computer-readable pro-am code means for using each 
byte of an output of said second XOR operation of said 
second mixing operation as said lookup index for said 
first S-box lookup operation to retrieve bytes of a new 35 
right half. 

3. The computer-readable code according to claim 2, 
wherein: 

said computer-readable program code means for perform- 
ing said first mixing operation further comprises: 40 
computer-readable program code means for using an 
identically-numbered byte from said left input half 
and said right input half as operands of said first 
XOR operation; and 
computer-readable program code means for using a 45 
result of said first XOR operation and a byte from 
said right input half that has been effectively rotated 
right one byte as operands of said second XOR 
operation; and 

said computer-readable program code means for perform- 50 
ing said second mixing operation further comprises: 
computer-readable program code means for using a 
selected byte from said right input half and a 
previously-mixed byte from said new left half that 
has been effectively rotated right one byte as oper- 55 
ands of said first XOR operation; and 
computer-readable program code means for using an 
output of said first XOR operation and a different 
previously- mixed byte from said new left half that 
has been effectively rotated left two bytes as oper- 60 
ands of said second XOR operation. 

4. The computer-readable code according to claim 1, 
wherein said computer- readable program code means for 
performing said mixing function and said computer-readable 
program code means for performing said key-dependent 65 
substitution function perform said first S-box lookup opera- 
tion and said second S-box lookup operational, respectively, 
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by accessing a selected one of two distinct S -boxes using a 
one-byte index, each of said S-boxes having 256 distinct 
entries, each of said entries being a one-byte value. 

5. The computer-readable code according to claim 1, 
wherein one or more of said computer- readable program 
code means is embodied in a hardware chip. 

6. The computer-readable code according to claim 1, 
wherein said computer-readable program code means for 
performing said permuting function further comprises: 

computer-readable program code means for dividing said 
plurality of mixed bytes into a left mixed half and a 
right mixed half; and 

computer-readable program code means for swapping 
said left mixed half with said right mixed half. 

7. The computer-readable code according to claim 1, 
wherein said computer-readable program code means for 
performing said key-dependent substitution function further 
comprises: 

computer-readable program code means for using a sub- 
key byte from a selected one of said generated sub-keys 
which is uniquely associated with said round as an 
operand of said third XOR operation, along with said 
each permuted byte; and 

computer-readable program code means for performing 
said second S-box lookup operation using each byte of 
a result of said third XOR operation as an index. 

8. The computer-readable code according to claim 1, 
wherein particular values of one or more of said number of 
rounds, said key length, and said block length are deter- 
mined in advance in order to optimize said computer- 
readable code, and wherein said computer-readable program 
code means for determining therefore operates as if said one 
or more particular values are fixed. 

9. The computer-readable code according to claim 1, 
further comprising: 

computer-readable program code means for decrypting 
said encrypted data block, resulting in restoration of 
said plurality of input data bytes, by performing a set of 
inverse round functions said number of times equal to 
said number of rounds, wherein said set of inverse 
round functions comprises an inverse key-dependent 
substitution function which is inverse to said key- 
dependent substitution function, an inverse permuting 
function which is inverse to said permuting function, 
and an inverse mixing function which is inverse to said 
mixing function. 

10. A system for providing a byte-oriented symmetric key 
block cipher which supports a variable length symmetric 
input key, a variable length block, and a variable number of 
rounds, comprising: 

means for determining a number of rounds of cipher 
processing to use as said variable number of rounds, a 
key length of said variable length symmetric input key, 
and a block length of said variable length block; 

means for generating a plurality of sub-keys using said 
symmetric input key as an input value, wherein each of 
said generated sub-keys is equal in length to said block 
length and where a distinct one of said sub -keys is 
generated for each of said number of rounds; 

means for obtaining an input data block to be encrypted, 
wherein said input data block comprises a plurality of 
input data bytes, said plurality being equal in number to 
said block length; and 

means for iteratively performing a set of round functions 
a number of times equal to said number of rounds in 
order to encrypt said input data block, wherein said set 
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of round functions comprises a mixing function, a 
permuting function, and a key-dependent substitution 
function, and wherein said means for iteratively per- 
forming further comprises: 

means for performing said mixing function by mixing 5 
each of said input data bytes using a first XOR 
operation and a second XOR operation, wherein said 
first and second XOR operations are different, fol- 
lowed by a first substitution-box (S-box) lookup 
operation, thereby creating a plurality of mixed 10 
bytes; 

means for performing said permuting function by 
swapping each of said mixed bytes, thereby creating 
a plurality of permuted bytes; 

means for performing said key-dependent substitution 15 
function by substituting a byte value for each of said 
permuted bytes, wherein said byte value is deter- 
mined by performing a third XOR operation fol- 
lowed by a second S-box lookup operation, thereby 
creating a plurality of substituted bytes; and 20 

means for treating said plurality of substituted bytes as 
said plurality of input data bytes for a subsequent 
iteration of said means for iteratively performing, 
provided said number of times has not been reached. 

11. The system according to claim 10, wherein said means 25 
for performing said mixing function further comprises: 

means for dividing said plurality of input data bytes into 
a left input half and a right input half; 

means for performing a first mixing operation on said left 
input half and a second mix operation said if right half, 30 
wherein said second mixing operation uses a different 
selection of operands for said first and said second 
XOR operations than does said first mixing operation; 

means for using each byte of a result of said second XOR 35 
operation of said first mixing operation as a lookup 
index for said first S-box lookup operation to retrieve 
bytes of a new left half; and 

means for using each byte of an output of said second 
XOR operation of said second mixing operation as said 40 
lookup index for said first S-box lookup operation to 
retrieve bytes of a new right half. 

12. The system according to claim 11, wherein: 

said means for performing said first mixing operation 
further comprises: 45 
means for using an identically-numbered byte from 
said left input half and said right input half as 
operands of said first XOR operation; and 
means for using a result of said first XOR operation and 
a byte from said right input half that has been 50 
effectively rotated right one byte as operands of said 
second XOR operation; and 
said means for performing said second mixing operation 
further comprises: 

means for using a selected byte from said right input 55 
half and a previously- mixed byte from said new left 
half that has been effectively rotated right one byte as 
operands of said first XOR operation; and 

means for using an output of said first XOR operation 
and a different previously-mixed byte from said new 60 
left half that has been effectively rotated left two 
bytes as operands of said second XOR operation. 

13. The system according to claim 10, wherein said means 
for performing said mixing function and said means for 
performing said key-dependent substitution function per- 65 
form said first S-box lookup operation and said second 
S-box lookup operation, respectively, by accessing a 



selected one of two distinct S -boxes using a one-byte index, 
each of said S-boxes having 256 distinct entries, each of said 
entries being a one-byte value. 

14. The system according to claim 10, wherein one or 
more of said means is embodied in a hardware chip. 

15. The system according to claim 10, wherein said means 
for performing said permuting function further comprises: 

means for dividing said plurality of mixed bytes into a left 

mixed half and a right mixed half; and 
means for swapping said left mixed half with said right 

mixed half. 

16. The system according to claim 10, wherein said means 
for performing said key-dependent substitution function 
further comprises: 

means for using a sub-key byte from a selected one of said 
generated sub-keys which is uniquely associated with 
said round as an operand of said third XOR operation, 
along with said each permuted byte; and 

means for performing said second S-box lookup operation 
using each byte of a result of said third XOR operation 
as an index. 

17. The system according to claim 10, wherein particular 
values of one or more of said number of rounds, said key 
length, and said block length are determined in advance in 
order to optimize said system, and wherein said means for 
determining therefore operates as if said one or more par- 
ticular values are fixed. 

18. The system according to claim 10, further comprising: 
means for decrypting said encrypted data block, resulting 

in restoration of said plurality of input data bytes, by 
performing a set of inverse round functions said num- 
ber of times equal to said number of rounds, wherein 
said set of inverse round functions comprises an inverse 
key-dependent substitution function which is inverse to 
said key-dependent substitution function, an inverse 
permuting function which is inverse to said permuting 
function, and an inverse mixing function which is 
inverse to said mixing function. 

19. A method of providing a byte-oriented symmetric key 
block cipher which supports a variable length symmetric 
input key, a variable length block, and a variable number of 
rounds, comprising the steps of: 

determining a number of rounds of cipher processing to 
use as said variable number of rounds, a key length of 
said variable length symmetric input key, and a block 
length of said variable length block; 

generating a plurality of sub-keys using said symmetric 
input key as an input value, wherein each of said 
generated sub -keys is equal in length to said block 
length and where a distinct one of said sub-keys is 
generated for each of said number of rounds; 

obtaining an input data block to be encrypted, wherein 
said input data block comprises a plurality of input data 
bytes, said plurality being equal in number to said block 
length; and 

iteratively performing a set of round functions a number 
of times equal to said number of rounds in order to 
encrypt said input data block, wherein said set of round 
functions comprises a mixing function, a permuting 
function, and a key-dependent substitution function, 
and wherein said iteratively performing step further 
comprises the steps of: 

performing said mixing function by mixing each of said 
input data bytes using a first XOR operation and a 
second XOR operation, wherein said first and second 
XOR operations are different, followed by a first 
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substitution -box (S-box) lookup operation, thereby 
creating a plurality of mixed bytes; 

performing said permuting function by swapping each 
of said mixed bytes, thereby creating a plurality of 
permuted bytes; 5 

performing said key-dependent substitution function by 
substituting a byte value for each of said permuted 
bytes, wherein said byte value is determined by 
performing a third XOR operation followed by a 
second S-box lookup operation, thereby creating a 10 
plurality of substituted bytes; and 

treating said plurality of substi ruled bytes as said plu- 
rality of input data bytes for a subsequent iteration of 
said iterative ly performing step, provided said num- 
ber of times has not been reached. 15 

20. The method according to claim 19, wherein said step 
of performing said mixing function further comprises the 
steps of: 

dividing said plurality of input data bytes into a left input 
half and a right input half; 20 

performing a first mixing operation on said left input half 
and a second mixing operation on said right half, 
wherein said second mixing operation uses a different 
selection of operands for said first and second XOR 
operations than does said first mixing operation; 25 

using each byte of a result of said second XOR operation 

of said first mixing operation as a lookup index for said 

first S-box lookup operation to retrieve bytes of a new 

left half; and 

' 30 

using each byte of an output of said second XOR opera- 
tion of said second mixing operation as said lookup 
index for said first S-box lookup operation to retrieve 
bytes of a new right half. 

21. The method according to claim 20, wherein: 35 
said step of performing said first mixing operation further 

comprises the steps of: 

using an identically- numbered byte from said left input 
half and said right input half as operands of said first 
XOR operation; and 40 

using a result of said first XOR operation and a byte 
from said right input half that has been effectively 
rotated right one byte as operands of said second 
XOR operation; and 
said step of performing said second mixing operation 45 

further comprises the steps of: 

using a selected byte from said right input half and a 
previously- mixed byte from said new left half that 
has been effectively rotated right one byte as oper- 
ands of said first XOR operation; and 
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using an output of said first XOR operation and a 
different previously-mixed byte from said new left 
half that has been effectively rotated left two bytes as 
operands of said second XOR operation. 

22. The method according to claim 19, wherein said step 
of performing said mixing function and said step of per- 
forming said key-dependent substitution function perform 
said first S-box lookup operation and said second S-box 
lookup operation, respectively, by accessing a selected one 
of two distinct S-boxes using a one-byte index, each of said 
S-boxes having 256 distinct entries, each of said entries 
being a one-byte value. 

23. The method according to claim 19, wherein one or 
more of said steps is embodied in a hardware chip. 

24. The method according to claim 19, wherein said step 
of performing said permuting function further comprises the 
steps of 

dividing said plurality of mixed bytes into a left mixed 

half and a right mixed half; and 
swapping said left mixed half with said right mixed half. 

25. The method according to claim 19, wherein said step 
of performing said key-dependent substitution function fur- 
ther comprises the steps of: 

using a sub-key byte from a selected one of said generated 
sub-keys which is uniquely associated with said round 
as an -operand of said third XOR operation, along with 
said each permuted byte; and 

performing said second S-box lookup operation using 
each byte of a result of said third XOR operation as an 
index. 

26. The method according to claims 19, wherein particu- 
lar values of one or more of said number of rounds, said key 
length, and said block length are determined in advance in 
order to optimize said method, and wherein said step of 
determining therefore operates as if said one or more par- 
ticular values are fixed. 

27. The method according to claim 19, further comprising 
the step of: 

decrypting said encrypted data block, resulting in resto- 
ration of said plurality of input data bytes, by perform- 
ing a set of inverse round functions said number of 
times equal to said number of rounds, wherein said set 
of inverse round functions comprises an inverse key- 
dependent substitution function which is inverse to said 
key-dependent substitution function, an inverse per- 
muting function which is inverse to said permuting 
function, and an inverse mixing function which to said 
mixing function. 

***** 
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ABSTRACT 



A method and apparatus for inter-round mixing in iterated 
block substitution systems is disclosed. The method 
involves optimizing inter- round mixing so that each data bit 
affects each other data bit in the same way. This is accom- 
plished by applying a quick trickle permutation or a quasi 
quick trickle permutation to the data bits undergoing block 
substitution allocated to n individual substitution boxes. 

6 Claims, 21 Drawing Sheets 
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14,-, thus similarly practicing the present invention and 
obtaining the same effect. More specifically, the XORs of the 
value KA and constants may be computed in advance and 
are held in the form of a table, and the S box 14jc- may look 
up the table using the value KA as an input parameter to 
obtain a given XOR. 

FIG. 14 is a functional block diagram showing the 
arrangement of a smart card that embodies the aforemen- 
tioned extended key generator, encryption/decryption unit, 
and storage medium of the present invention. As shown in 
FIG. 14, a smart card 51 has a CPU 53, RAM 55, ROM 57, 
EEPROM 59, and contactor 61. The RAM 55 is used to store 
various data, and is used as a work area or the like. The 
ROM 57 is used to store various data, programs, and the like. 
The EEPROM 59 stores programs and the like shown in the 
flow charts in FIGS. 8 and 13. The contactor 61 obtains 
electrical contacts with a smart card reader/writer (not 
shown). Note that the programs shown in FIGS. 8 and 13 
may be stored in the RAM 55 or ROM 57 in place of the 
EEPROM 59. 

Fourth Embodiment 

An encryption/decryption unit according to the fourth 
embodiment of the present invention will be described 
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According to this modification, in addition to the aforemen- 
tioned effect, contents (raw data) on the network NW can be 
prevented from eavesdropped. 

Furthermore, as shown in FIGS. 18A and 18B, a DVD 
(digital versatile disc) may be used as the memory element. 
In the case shown in FIG. 18 A, a DVD 34 that pre-stores 
encrypted data is distributed to the user. The encryption/ 
decryption unit 30 at the user's home decrypts the encrypted 
data in the DVD 34, and reproduces obtained image data or 
music data from a loudspeaker or the like. 

Also, in the case shown in FIG. 18B, raw data such as 
image data, music data, or the like is encrypted by the 
encryption/decryption unit 30 at the user's home using a 
predetermined common key, and the obtained encrypted 
data is stored in a DVD-RAM 35. 

This encrypted data is decrypted by the predetermined 
common key set by the user, but cannot be decrypted by a 
third party unless the common key is disclosed. Therefore, 
personal image data and music data can be saved while 
being protected from third parties. 

Other Embodiments 
As a storage medium that stores a program for imple- 



below using FIG. 15. This encryption/decryption unit 30 has 25 mentin § the P rocesses of the extended key generator and 

encryption/decryption unit of the present invention, a mag- 
netic disk, floppy disk, hard disk, optical disk (CD-ROM, 
CD-R, DVD, or the like), magnetooptical disk (MO or the 
like), semiconductor memory, and the like may be used. In 
30 practice, the storage format is not particularly limited as long 
as a storage medium can store the program and can be read 
by a computer. 

An OS (operating system) which is running on a computer 
or MW (middleware) such as database management 



an arrangement described in one of the first to third 
embodiments, and is used to protect digital information such 
as image data, music data, and the like (to be referred to as 
raw data hereinafter). 

Assume that the encryption/decryption unit 30 is imple- 
mented on a personal computer PC by installing a program 
from a storage medium, as shown in FIG. 15. The 
encryption/decryption unit 30 encrypts raw data input to the 
personal computer PC using, e.g., a user ID as a common 



key, and stores the obtained encrypted data (corresponding 35 software > network software, or the like may execute some of 



to the aforementioned ciphertext) in a portable memory 
element 31. AS such memory element 31, a smart card, 
smart media, memory card, or the like may be used. 

The memory element 31 is distributed to the user's home, 
and an encryption/decryption unit (not shown) in the user's 
home decrypts the encrypted data in the memory element 13 
on the basis of the self user ID and reproduces obtained 
image data or music data from, e.g., a loudspeaker or the 
like. In this manner, raw data (contents) can be distributed to 
only users who have made a subscription contract in 
advance. 

Various modifications of this embodiment are available as 
follows. For example, as shown in FIG. 16, a recording unit 
32 comprising the encryption/decryption unit 30 as a hard- 
ware circuit may be provided in place of the personal 
computer PC. With this arrangement, upon writing contents 
in the memory element 31, the encryption/decryption unit 30 
encrypts raw data based on, e.g., a user ID, and stores 
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encrypted data in the memory element 31, The processes 55 network. 



processes that implement the above embodiment, on the 
basis of an instruction of the program installed from the 
storage medium in the computer. 

Furthermore, the storage medium in the present invention 
is not limited to a medium independent from the computer, 
but includes a storage medium which stores or temporarily 
stores a program downloaded from a LAN, the Internet, or 
the like. 

The number of storage media is not limited to one, and the 
storage medium of the present invention includes a case 
wherein the processes of the above embodiment are imple- 
mented from a plurality of media, and either medium 
arrangement may be used. 

Note that the computer in the present invention executes 
processes of the above embodiment on the basis of programs 
stored in the storage medium, and can be either an apparatus 
consisting of a single device such as a personal computer, or 
a system built by connecting a plurality of devices via a 



from delivery to the home to decryption are the same as 
those described above. In this manner, the encryption/ 
decryption unit 30 may be provided to the dedicated record- 
ing unit 32 in place of a versatile computer such as the 
personal computer PC and the like. 

Also, as shown in FIG. 17, a host computer 33 with the 
encryption/decryption unit 30 may be connected to the 
personal computer PC via a network NW. In this case, 
encrypted data downloaded from the host computer 33 is 



The computer in the present invention is not limited to a 
personal computer, and includes an arithmetic processing 
device, microcomputer, and the like included in an infor- 
mation processing apparatus, i.e., includes all devices and 
60 apparatuses that can implement the functions of the present 
invention via programs. 

The present invention is not limited to a DES cryptosys- 
tem but can be applied to any other block cryptosystems 



using round functions. For example, the present invention 
stored in the memory element 32 via the personal computer 65 may be applied to cryptosystems such as Lucifer, LOKI, 
PC in the encrypted state. The processes from delivery to the MISTY1, MISTY2, and SAFER (Secure and Fast Encryp- 
home to decryption are the same as those described above. tion Routine), and the like. 
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In the above embodiments, the S box makes nonlinear 
transformation using a substitution table. Alternatively, the S 
box may make nonlinear transformation using a wiring 
pattern. 

In the embodiment shown in FIG. 10, two sets of trans- 5 
form elements including the constant registers 12 XOR 
elements 13,-, S boxes 14,-, and extended transformers 15,- are 
parallelly arranged. Alternatively, three or more sets of 
transform elements may be parallelly arranged. 

Various other modifications of the present invention may 
be made within the scope of the invention. 

Additional advantages and modifications will readily 
occur to those skilled in the art. Therefore, the invention in 
its broader aspects is not limited to the specific details and 
representative embodiments shown and described herein. 
Accordingly, various modifications may be made without 
departing from the spirit or scope of the general inventive 
concept as defined by the appended claims and their equiva- 
lents. 2Q 

What is claimed is: 

1. An expansion key generation apparatus, which gener- 
ates expansion keys based on input keys, the apparatus 
comprising a plurality of cascade -connected key transform 
devices, each of the key transform devices comprising: 25 

an exclusive-OR element for calculating an exclusive -OR 
of a constant determined for each of the key transform 
devices and a first key obtained from the input key; 

a nonlinear transform unit for nonlinearly transforming an 
output from the exclusive-OR element using a prede- 30 
termined substitution table; 

an expansion unit for performing an expansion processing 
on an output from the nonlinear transform unit; and 

an expansion key calculation unit for calculating the 
expansion key based on an output from the expansion 
unit and a second key obtained from the input key, 

wherein the expansion key calculation unit adds with 
carry-up the output from the expansion unit and the 
second key. 4Q 

2. An expansion key generation apparatus, which gener- 
ates expansion keys based on input keys, the apparatus 
comprising a plurality of cascade-connected key transform 
devices, each of the key transform devices comprising: 

an exclusive-OR element for calculating an exclusive-OR 45 
of a constant determined for each of the key transform 
devices and a first key obtained from the input key; 

a nonlinear transform unit for nonlinearly transforming an 
output from the exclusive-OR element using a prede- 
termined substitution table; 50 

an expansion unit for performing an expansion processing 
on an output from the nonlinear transform unit; and 

an expansion key calculation unit for calculating the 
expansion key based on an output from the expansion 
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unit and a second key obtained from the input key, 
wherein the expansion key calculation unit performs a 
shifting of a predetermined number of bits and shifts 
the output from the nonlinear transform unit to the least 
significant bit by the number of bits that is half the 
number of bits of the output from the nonlinear trans- 
form unit, or by the number of bits obtained by adding 
an integer multiple of the number of bits of the output 
from the nonlinear transform unit to the half number of 
bits. 

3. An expansion key generation program, which causes a 
computer to generate expansion keys based on input keys 
using a plurality of cascade-connected key transform 
devices, the program comprising: 

program code for calculating an exclusive-OR of a con- 
stant determined for each of the key transform devices 
and a first key obtained from the input key; 

program code for nonlinearly transforming a result of an 
exclusive-OR using a predetermined substitution table; 

program code for performing an expansion processing on 
a result of a nonlinear transform; and 

program code for calculating the expansion key based on 
a result of expansion processing and a second key 
obtained from the input key, 

wherein the program code for calculating the expansion 
key comprises program code for adding with carry-up 
a result of an expansion and the second key. 

4. An expansion key generation program, which causes a 
computer to generate expansion keys based on input keys 
using a plurality of cascade-connected key transform 
devices, the program comprising: 

program code for calculating an exclusive-OR of a con- 
stant determined for each of the key transform devices 
and a first key obtained from the input key; 

program code for nonlinearly transforming a result of an 
exclusive-OR using a predetermined substitution table; 

program code for performing an expansion processing on 
a result of a nonlinear transform, wherein the program 
code for performing the expansion processing com- 
prises program code for shifting a result of a nonlinear 
transform by a predetermined number of bits that is half 
the number of bits of a result of a nonlinear transform, 
or by the number of bits obtained by adding an integer 
multiple of the number of bits of the result of the 
nonlinear transform to the half number of bits; 

program code for calculating the expansion key based on 
a result of expansion processing and a second key 
obtained from the input key; and 

program code for shifting the input key to a least signifi- 
cant bit or a most significant bit and inputting the 
shifted key to the key transform device of a next stage. 
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[0058] The probability for a given (local) linear charac- 
teristic, i.e. the probability that the linear relation on the 
input bits defined by a equals the linear relation on the output 
bits defined by P (denoted by a-*p), equals ^+Lj a ^/16. 
Note that the entries in the first row and column of these 
tables represent the trivial characteristic, i.e. 0->0 with 
probability one, which holds for any mapping. It is easily 
seen that all other (non-trivial) differential characteristics 
have probability between % and %, since the minimum and 
maximum value over all other entries equal minus four and 
four respectively for both permutations. 

[0059] Linear approximation table of P x 



niques for generating and testing permutations, a person 
skilled in the art can create eight such pairs of permutations 
within a few days for 4-bit permutatioas. Alternatively, a 
different pair of permutations P 0 * and P a * satisfying the 
criteria can be constructed from P 0 and P a by e.g. applying 
an afifine transformation on the output of both of these 
permutations. This cane be done by selecting a non-singular 
4x4 matrix A over and a vector b e and defining 
P 0 *(x) :=P 0 (x)A® b and P a *(x) :»P 1 (x)A® b for all x e 
It can be easily verified that in this way 322560 different 
(ordered) pairs of permutations can be constructed, each of 
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[0060] The compensation effect can, for instance, be seen 
by considering the linear characteristic 2->3 for both per- 
mutations. For P 0 the probability that 2->3 equals V^+Lq 2 ' 3 / 
16=%, for P a this probability is given by yS+L/' 3 /! 6=^. 
Preferably this compensation occurs for as many as possible 
elements. In the example, this holds for all elements with the 
maximum absolute value of four. Using well-known tech- 



which satisfies all above criteria. Note that one of these 
transformations is the identity mapping from Z^-^Zj 4 , i.e. 
P 0 *=P 0 and 

1. A method for cryptographically converting an input 
data block into an output data block; the method including 
performing a non-linear operation on the input data block 
using an S-box based on a permutation, wherein the method 
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includes each time before using the S-box (pseudo-)ran- 
domly selecting the permutation from a predetermined set of 
at least two permutations associated with the S-box. 

2. A method as claimed in claim 1, wherein the set of 
permutations is formed such that a cryptographic weakness 
in one of the permutations of the set is at least partially 
compensated by a corresponding cryptographic strength in 
at least one of the other permutations of the set. 

3. A method as claimed in claim 1, wherein the data block 
consists of n data bits and each element of the set of 
permutations is a permutation on a set of 2 n elements, 
represented by Z/, where each non-trivial differential char- 
acteristic of each permutation in this set has a probability of 
at p diff ; the set of permutations being formed by permuta- 
tions which have been selected such that for each non-trivial 
differential characteristic with probability of p diff in any of 
the permutations, this differential characteristic has a prob- 
ability lower than p diff in at least one of the other permuta- 
tions of the set. 

4. A method as claimed in claim 3, wherein the differential 
characteristic has a probability equal to zero in at least one 
of the permutations. 

5. A method as claimed in claim 4, wherein n=4, and 

Pdiff=^4. 

6. A method as claimed in claim 1, wherein the data block 
consists of n data bits and each element of the set of 
permutations is a permutation on a set of 2 n elements, 
represented by Z^, where each non-trivial linear character- 
istic of each permutation in this set has a probability of at 
least V6-p, in and at most V£+p lin , the set of permutations being 
formed by permutations which have been selected such that 
for each non-trivial linear characteristic with probability of 
^-Piin or ^ + Piin m an y of me permutations, this linear 
characteristic has a probability closer to l A in at least one of 
the other permutations of the set. 



7. A method as claimed in claim 5, wherein the linear 
characteristic has a probability equal to VS in at least one of 
the permutations. 

8. A method as claimed in claim 6, wherein n=4 and 

9. A method as claimed in claim 1, wherein the set of 
permutations consists of two permutations. 

10. A method as claimed in claim 1, including performing 
the selection of the permutation under control of an encryp- 
tion key. 

11. A method as claimed in claim 9 and 10, wherein the 
selection of the permutation is performed under control of 
one bit of the encryption key. 

12. A computer program product where the program 
product is operative to cause a processor to perform the 
method of claim 1. 

13. A system for cryptographically converting an input 
data block into an output data block; the method system 
including: 

an input for receiving the input data block; 

a storage for storing a predetermined set of at least two 
permutations associated with an S-box; 

a cryptographic processor for performing a non-linear 
operation on the input data block using an S-box based 
on a permutation; the processor being operative to, 
each time before using the S-box, (pseudo-)randomly 
selecting the permutation from the stored set of per- 
mutations associated with the S-box; and 

an output for outputting the processed input data block. 
***** 
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